Installing a QRadar data gateway in IBM Cloud VPC

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway in IBM Cloud VPC.

1. Download the .qcow2 image file.
   1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
   2. Click 7.4.3-CMP-IBMCloudVPC-MH-QRADAR-20220329114452.
   3. Download the .qcow2 and .sig files.
      The .qcow2 file download can take several hours.
   4. Use the .sig file to verify the integrity of the .qcow2 file.
      For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.
2. Upload the .qcow2 image file.
   1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket in step 3.
   2. Upload the .qcow2 file.
      The upload can take up to an hour. Do not rename the .qcow2 file. Renaming the file causes the import to fail.
3. Import the .qcow2 file.
   1. In IBM Cloud, click Navigation Menu () > VPC Infrastructure > Custom images.
   2. Click Create.
   3. Enter a name for the image and select a Resource group for the image to belong to.
   4. Set the Source to Cloud Object Storage.
   5. Select the Cloud Object Storage service instance, the location that is used by your storage bucket, your storage bucket, and the .qcow2 file that you uploaded.
      Note: If you want to import your image into multiple regions, you will have to repeat step 2 and create a new storage bucket in each desired region.
   6. Set the Operating system to Red Hat Enterprise Linux, and set the Version to red-7-amd64-byol.
   7. Click Create custom image.
      The import can take up to 10 minutes.
4. After the image status is Available, create the instance.
   1. Click > VPC Infrastructure > Virtual Server Instances.
   2. Click Create +.
   3. Set the Architecture to Intel.
   4. Set the Hosting type to Public.
   5. Set the location to the same region that you imported your image to in step 3.
   6. Give your instance a name that doesn't exceed 57 characters.
      The name can contain only alphanumeric characters and the - symbol.
   7. Select a Resource group for the instance.
   8. If you would like an easier way to identify your instance, enter a tag for your instance.
   9. Set the Operating system to Custom image.
      The Select custom image window appears.
   10. Choose the image that you imported in step 3, then click Select.
   11. Click View all profiles.
       The Select an instance profile window appears.
   12. Select a profile that meets the data gateway system requirements. See System requirements for data gateways, then click Save.
       Important: Instances that use Instance storage are not supported.
   13. Select or create an SSH key pair.
       You need an SSH key pair to access the instance by using SSH.
   14. In the Data volumes section, click Create +.
   15. Enter a Name for the second disk.
   16. Estimate your storage needs and enter a size for the second disk in GB.
       The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

       When the installation is complete, this disk contains the /store and /transient partitions.

       Warning: You cannot increase storage after installation.
   17. Select a profile, set the IOPS, and click Create.
   18. Select a Virtual private cloud.
   19. In the Network interfaces section, click the icon next to eth0.
   20. Leave the interface set to eth0 and select a Subnet.
   21. Set Reserving method to Let me specify and select a reserved private IP address from your subnet.
       This IP address will be the private IP address associated with your instance.
   22. Select a security group that allows ports 22 and 443 only from trusted IP addresses, then click Save.
       In a QRadar deployment with multiple appliances, many ports must be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see QRadar port usage. Restrict ports that are not needed by using a firewall or other technology that allows you to restrict ports.
   23. Click Create Virtual Server.
5. When the instance status says Running, assign a floating IP address to your instance.
   1. Click on the instance that you created.
   2. In the Network interfaces section, click the icon next to eth0.
   3. Select an IP address or Reserve a new floating IP from the Floating IP address dropdown, then click Save.
6. Install the data gateway and set the root password.
   1. When the floating IP address is assigned, log in by typing the following command:

      ssh -i <private_key> cloud-user@<public_IP_address>

   2. Type the following command:

      sudo /root/setup_mh 7000

   3. The system prompts you to set the root password. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
7. Upgrade the data gateway to the same version of QRadar as your Console.
   1. Log in to the Console.
   2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
   3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
   4. Copy the software update SFS file to your data gateway.
   5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
   6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command:

      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp

   7. Open the superuser shell by typing the following command:

      sudo su -

   8. Create the /media/updates directory by typing the following command:

      mkdir /media/updates

   9. Mount the SFS file by typing the following command:

      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates

   10. Run the software update installer by typing the following command:

       /media/updates/installer

8. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
9. After you receive your token:
   1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
   2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command:

      sudo su -

   3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway:

      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload

   4. To finish the initial data gateway setup, type the following command:

      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p

10. Exit the superuser shell by typing the following command:

    exit