Installing a QRadar data gateway on Microsoft Azure

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway in Microsoft Azure.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with Microsoft Azure infrastructure, refer to Microsoft Azure Support documentation. If IBM Support determines that your issue is caused by the Microsoft Azure infrastructure, you must contact Microsoft for support to resolve the underlying issue with the Microsoft Azure infrastructure.

You must use static private and public IP addresses.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

Procedure

  1. Go to the Microsoft Azure Marketplace (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/ibm.qradar750?tab=Overview).
    The Plans + Pricing tab can be used to estimate pricing for certain VM sizes, but you don't choose your VM size on this screen.
  2. Click Get It Now.
  3. Select QRadar SIEM 7.5.0 from the Software plan menu list and click Continue.
  4. Click Create to create an instance for the data gateway.
  5. Configure VM settings.
    1. Select an existing Resource Group or create a new one.
    2. Enter a virtual machine name.
      Note: The VM name must be 10 characters or fewer.
    3. Select a Region.
    4. Click See all size and select an x64-based size from the following list that meets the minimum system requirements (D-Series v4, B-Series, DC-Series, E-Series v4, F-Series v2, H-Series, D-Series v3, E-Series v3, D-Series v2).
      For more information, see QRadar on Cloud onboarding.
    5. Enter a username for the administrator account.
    6. Choose an SSH public key or Password.

      For more information about creating and using an SSH public-private key pair for Linux® VMs in Microsoft Azure, see Microsoft documentation.

  6. Click Next: Disks >
    1. Under the Data disks section, click Create and attach a new disk.
    2. Enter a name for your data disk.
    3. Leave the Source type as None (empty disk).
    4. Click Change Size.
    5. Select a Disk SKU.
    6. Estimate your storage needs and then enter a size in GiB. Click OK after the size is entered.
      The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, the disk contains the /store and /transient partitions.
      Warning: It is not possible to increase storage after installation.
    7. Click OK to add the data disk.
  7. Click Next : Networking >
    1. Create or select an existing Virtual Network.
    2. Create or select a Subnet for your Virtual Network.
    3. Under NIC network security group, select Advanced.
    4. Create or select a network security group that allows ports 22, and 443 for a QRadar Console, to create an allowlist of trusted IP addresses that can access your QRadar deployment.
      In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  8. Click Review + Create.
  9. Click Create to deploy the instance. This might take a few minutes.
  10. When your VM is deployed in Azure, click Go to resource.
  11. When the VM is ready, log in using either your key pair or password by typing one of the following commands.
    • To log in using SSH and your key pair, type the following command: 
      ssh -i <key.pem> user@<public_IP_address>
    • To log in using SSH and your password, type the following command: 
      ssh user@<public_IP_address>
  12. Type the following command: 
    sudo /root/setup 7000
    If the SSH session disconnects, type the following command to reconnect to the installer:
    sudo screen -r qradar
  13. The system prompts you to set a root password. The password must meet the following criteria:
    • Contains at least 5 characters
    • Contains no spaces
    • Includes one or more of the following special characters: @, #, ^, and *.

    You cannot change this password until after the installation process is complete. The root password is also the gateway host password.

  14. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  15. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
  16. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  17. Exit the superuser shell by typing the following command: 
    exit