You connect to IBM®
QRadar® on Cloud through a data
gateway. You can install the data gateway in Oracle Cloud.
Before you begin
Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.
Schedule a maintenance window for this task and ensure that users do not deploy changes while the
data gateway is being added to your deployment.
Ensure that you have the full host name of the Console that you connect to through your gateway
appliance.
About this task
For any issues with QRadar software, engage IBM
Support. If you experience any problems with Oracle Cloud infrastructure, refer to Oracle Cloud
documentation. If IBM Support
determines that your issue is caused by the Oracle Cloud infrastructure, you must contact Oracle
Cloud for support to resolve the underlying issue with the Oracle Cloud infrastructure.
You must use static private and public IP addresses.
You cannot have more than two DNS entries. QRadar installation fails if
you have more than two DNS entries in the /etc/resolv.conf file.
Data gateways must be installed one at a time. If you are installing more than one data gateway,
wait until you complete installation of one before you install the next one.
Procedure
- Download the image file.
- Go to the CLOUD MARKET PLACE section of Fix Central
(https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
- Click
7.4.1-CMP-OracleCloud-MANAGEDHOST-QRADAR-20220811114721.
- Download the image and .sig files.
The image file
download can take several hours.
- Use the .sig file to verify the integrity of the image
file.
- Upload the image file.
- Go to Oracle Cloud (https://www.oracle.com/ca-en/cloud/) and create a new storage
bucket.
- Upload the file.
The upload can take up to an hour. Do not rename the image
file. Renaming the file causes the import to fail.
- Import the image.
- In Oracle Cloud, click .
- Select a Compartment.
- Click Import Image.
- Enter a name for the image.
- Select Linux as the Operating system.
- Select Import from an Object Storage Bucket.
- Select the bucket that the image file was uploaded to in step 2.
- Select the image file that was uploaded in step 2.
- Select OCI for the image type.
- Click Import Image.
- When the image is created, click Create
Instance.
- Give your instance a name that is no longer than 58 characters. The
name can contain only alphanumeric characters and the - symbol.
- Select a compartment for the instance.
-
Select an availability domain for the instance.
- Select a shape that meets the minimum system requirements.
- Click Change Shape.
- Click Virtual machine as the Instance type.
- Select any shape from the AMD, Intel, or Specialty and previous generation shape
series that meets the system requirements for virtual appliances.
- Configure networking for the instance.
- Select a virtual cloud network compartment.
- Select a virtual cloud network.
- Select a subnet.
- Select Assign a public IPv4 address.
- Under Show Advanced Options check Use network security groups to control
traffic.
- Select a security group that allows port 22, and port 443 for a QRadar
Console, to create an allowlist of
trusted IP addresses that can access your QRadar deployment. In a QRadar deployment with multiple
appliances, other ports might also be allowed between managed hosts. For more information about what
ports might need to be allowed in your deployment, see Common ports
and servers used by QRadar.
- Add or generate an SSH key pair.
- Click Create.
- Add a second disk to your instance for storage.
- Go to and
click Create Block Volume.
- Name the volume and enter a size in GB.
The minimum size is 250 GiB. The
added disk must be the second disk. It cannot be the third or greater disk. When the installation is
complete, this disk contains the /store and /transient
partitions.
Warning: It is not possible to increase storage after installation.
- Select the same compartment that your instance was created in.
- Click Create Block Volume.
- Go to and
select your instance.
- Click Attached Block Volumes.
- Click Attach Block Volume.
- Select your block volume from the drop-down menu, then select
Paravirtualized as the attachment type.
- Click Attach.
- When the instance is ready, log in using the private key from your key pair.
ssh -i <private_key_file> cloud-user@<public_IP_address>
- Type the following command:
- When prompted to set the root password, set a strong password that meets the following
criteria:
- Contains at least 5 characters.
- Contains no spaces.
- Includes one or more of the following special characters: @, #, ^, and *.
You cannot change this password until after the installation process is complete. The root
password is also the gateway host password.
- Upgrade the data gateway to the same version of QRadar as your Console.
- Log in to the Console.
- Go to to find the version of QRadar that the Console is
at.
- Download the SFS file for the version of QRadar that the Console is at
from Fix
Central (https://www.ibm.com/support/fixcentral).
- Copy the software update SFS file to your data gateway.
- If you have disconnected from your ssh session, use ssh to log back in to your data
gateway.
- On your data gateway, move the SFS file to the /storetmp
directory by typing the following command:
sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
- Open the superuser shell by typing the following command:
- Create the /media/updates directory by typing the following
command:
- Mount the SFS file by typing the following command:
mounth -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
- Run the software update installer by typing the following command:
- Use the IBM
QRadar on Cloud
Self Serve app to generate a token for your data gateway and add the data gateway's IP address to
the allowlist. For more information, see access management to the
console.
- After you receive your token:
- If you have disconnected from your ssh session, use ssh to log back in to your data
gateway.
- Because the appliance restarted after the previous step, open the super shell again by
typing the following command:
- To mitigate a known issue with an intermittent connection, type the following command
on the newly added data gateway:
mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
- To finish the initial data gateway setup, type the following command:
/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
- Exit the superuser shell by typing the following command:
What to do next
If you removed any DNS entries in /etc/resolv.conf, restore them.