Configuring a Console in Oracle Cloud

Configure an IBM® QRadar® SIEM Console on an Oracle Cloud instance by using the Oracle Cloud image on Fix Central.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM Support. If you experience any problems with Oracle Cloud infrastructure, refer to Oracle Cloud documentation. If IBM Support determines that your issue is caused by the Oracle Cloud infrastructure, you must contact Oracle Cloud for support to resolve the underlying issue with the Oracle Cloud infrastructure.

About this task

If you are installing a data gateway for QRadar on Cloud, go to installing a QRadar data gateway in Oracle Cloud.

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

Do not make any configuration changes, such as adding extra DNS entries, until after QRadar installation is complete.

If you deploy a managed host and a Console in the same virtual network, use the private IP address of the managed host to add it to the Console.

If you deploy a managed host and a Console in different virtual networks, you must allow firewall rules for the communication between the Console and the managed host. For more information, see QRadar port usage.

Procedure

Download the image file.
1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
2. Click 7.4.1-CMP-OracleCloud-CONSOLE-QRADAR-20220811114721.
3. Download the image and .sig files.
  The image file download can take several hours.
4. Use the .sig file to verify the integrity of the image file.
  For more information, see how to verify downloads from IBM Fix Central are trusted and code signed.
Upload the image file.
1. Go to Oracle Cloud (https://www.oracle.com/ca-en/cloud/) and create a new storage bucket.
2. Upload the file.
  The upload can take up to an hour. Do not rename the image file. Renaming the file causes the import to fail.
Import the image.
1. In Oracle Cloud, click Navigation Menu > Compute > Custom images.
2. Select a Compartment.
3. Click Import Image.
4. Enter a name for the image.
5. Select Linux as the Operating system.
6. Select Import from an Object Storage Bucket.
7. Select the bucket that you uploaded the image file to from step 2.
8. Select the image file that you uploaded from step 2.
9. Select OCI for the image type.
10. Click Import Image.
When the image is created, click Create Instance.
Give your instance a name that is no longer than 58 characters. The name can contain only alphanumeric characters and the - symbol.
Select a compartment for the instance.
Select an availability domain for the instance.
Select a shape that meets the minimum system requirements.
1. Click Change Shape.
2. Click Virtual machine as the Instance type.
3. Select any shape from the AMD, Intel, or Specialty and previous generation shape series that meets the system requirements for virtual appliances.
  
  Important: Instances that contain extra storage drives are not supported.
  For more information, see the IBM QRadar Installation Guide.
Configure networking for the instance.
1. Select a virtual cloud network compartment.
2. Select a virtual cloud network.
3. Select a subnet.
4. Select Assign a public IPv4 address.
5. Under Show Advanced Options check Use network security groups to control traffic.
6. Select a security group that allows port 22, and port 443 for a QRadar Console, to create an allowlist of trusted IP addresses that can access your QRadar deployment. In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers that are used by QRadar.
Add or generate an SSH key pair.

You need an SSH key pair to access the instance by using SSH. For more information, see connecting to your instance.
Click Create.
Add a second disk to your instance for storage.
1. Go to Navigation Menu > Storage > Block Volumes and click Create Block Volume.
2. Name the volume and enter a size in GB.
  The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, this disk contains the /store and /transient partitions.
  
  Warning: It is not possible to increase storage after installation.
3. Select the same compartment that your instance was created in.
4. Click Create Block Volume.
5. Go to Navigation Menu > Compute > Instances and select your instance.
6. Click Attached Block Volumes.
7. Click Attach Block Volume.
8. Select your block volume from the drop-down menu, then select Paravirtualized as the attachment type.
9. Click Attach.
When the instance is ready, log in using the private key from your key pair.
```
ssh -i <private_key_file> cloud-user@<public_IP_address>
```
Type the following command to install the console:
```
sudo /root/setup_console
```
Enter a password for the admin account. Set a strong password that meets the following criteria:
- Contains at least 5 characters.
- Contains no spaces.
- Includes one or more of the following special characters: @, #, ^, and *.

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.

The QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see IBM QRadar Administration Guide.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see IBM QRadar Upgrade Guide.