Installing a QRadar data gateway in Oracle Cloud

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway in Oracle Cloud.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with Oracle Cloud infrastructure, refer to Oracle Cloud documentation. If IBM Support determines that your issue is caused by the Oracle Cloud infrastructure, you must contact Oracle Cloud for support to resolve the underlying issue with the Oracle Cloud infrastructure.

You must use static private and public IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

Procedure

  1. Download the image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.1-CMP-OracleCloud-MANAGEDHOST-QRADAR-20220811114721.
    3. Download the image and .sig files.
      The image file download can take several hours.
    4. Use the .sig file to verify the integrity of the image file.
      For more information, see how to verify downloads from IBM Fix Central are trusted and code signed.
  2. Upload the image file.
    1. Go to Oracle Cloud (https://www.oracle.com/ca-en/cloud/) and create a new storage bucket.
    2. Upload the file.
      The upload can take up to an hour. Do not rename the image file. Renaming the file causes the import to fail.
  3. Import the image.
    1. In Oracle Cloud, click Navigation Menu > Compute > Custom images.
    2. Select a Compartment.
    3. Click Import Image.
    4. Enter a name for the image.
    5. Select Linux as the Operating system.
    6. Select Import from an Object Storage Bucket.
    7. Select the bucket that the image file was uploaded to in step 2.
    8. Select the image file that was uploaded in step 2.
    9. Select OCI for the image type.
    10. Click Import Image.
  4. When the image is created, click Create Instance.
  5. Give your instance a name that is no longer than 58 characters. The name can contain only alphanumeric characters and the - symbol.
  6. Select a compartment for the instance.
  7. Select an availability domain for the instance.
  8. Select a shape that meets the minimum system requirements.
    1. Click Change Shape.
    2. Click Virtual machine as the Instance type.
    3. Select any shape from the AMD, Intel, or Specialty and previous generation shape series that meets the system requirements for virtual appliances.
      Important: Instances that contain extra storage drives are not supported.

      For more information, see QRadar on Cloud onboarding.

  9. Configure networking for the instance.
    1. Select a virtual cloud network compartment.
    2. Select a virtual cloud network.
    3. Select a subnet.
    4. Select Assign a public IPv4 address.
    5. Under Show Advanced Options check Use network security groups to control traffic.
    6. Select a security group that allows port 22, and port 443 for a QRadar Console, to create an allowlist of trusted IP addresses that can access your QRadar deployment. In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  10. Add or generate an SSH key pair.

    You need an SSH key pair to access the instance by using SSH. For more information, see connecting to your instance.

  11. Click Create.
  12. Add a second disk to your instance for storage.
    1. Go to Navigation Menu > Storage > Block Volumes and click Create Block Volume.
    2. Name the volume and enter a size in GB.
      The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, this disk contains the /store and /transient partitions.
      Warning: It is not possible to increase storage after installation.
    3. Select the same compartment that your instance was created in.
    4. Click Create Block Volume.
    5. Go to Navigation Menu > Compute > Instances and select your instance.
    6. Click Attached Block Volumes.
    7. Click Attach Block Volume.
    8. Select your block volume from the drop-down menu, then select Paravirtualized as the attachment type.
    9. Click Attach.
  13. When the instance is ready, log in using the private key from your key pair. 
    ssh -i <private_key_file> cloud-user@<public_IP_address>
  14. Type the following command: 
    sudo /root/setup_mh 7000
  15. When prompted to set the root password, set a strong password that meets the following criteria:
    • Contains at least 5 characters.
    • Contains no spaces.
    • Includes one or more of the following special characters: @, #, ^, and *.

    You cannot change this password until after the installation process is complete. The root password is also the gateway host password.

  16. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. Go to Navigation Menu > About to find the version of QRadar that the Console is at.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mounth -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  17. Use the IBM QRadar on Cloud Self Serve app to generate a token for your data gateway and add the data gateway's IP address to the allowlist. For more information, see access management to the console.
  18. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the super shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  19. Exit the superuser shell by typing the following command: 
    exit

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.