Configuring a QRadar Console on Google Cloud Platform

Configure an IBM® QRadar® SIEM Console on a Google Cloud Platform (GCP) instance by using the provided image.

Before you begin

Important:

The following procedure is for the configuration of an IBM QRadar 7.3.2 Console image, which has reached its End of Support. An IBM® QRadar® 7.4.3 Console image is not yet available. Once the image is installed, it should be upgraded to ensure that support is available. For information about upgrading to 7.4.3, see Upgrading QRadar SIEM.

You must acquire entitlement to a QRadar Software Node for any QRadar instance that is deployed from a third-party cloud marketplace. Entitlement to the software node should be in place before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM Support. If you experience any problems with GCP infrastructure, refer to GCP documentation. If IBM Support determines that your issue is caused by the GCP infrastructure, you must contact GCP for support to resolve the underlying issue with the GCP infrastructure.

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in Google Cloud Platform (https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_gcp_image.html).

  1. Create a project name that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name followed by -vm, the zone, the region, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  2. In the project that you created in step 1, configure your network interface.
    1. Click Google Cloud Platform > VPC network > VPC networks.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click CREATE VPC NETWORK.
    3. Give your network a name, and configure the settings as needed. Set DNS server policy to No server policy.
    4. Click Create.
  3. Add an SSH key to the project if you haven't already done so. The key must be created for a user called cloud-user.
    1. Click Google Cloud Platform > Compute Engine > Metadata.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click SSH Keys.
    3. Click Edit.
    4. Click Add item.
    5. Enter an SSH key, followed by cloud-user.
    6. Click Save.

Procedure

  1. Go to QRadar Security Intelligence Platform Console v7.3.2 P1 (https://console.cloud.google.com/marketplace/details/ibm-security-public/qradar-console?q=IBM%20qradar&id=34b7c045-edfa-485d-94d2-3b6ad1fe8ea9).
  2. Click LAUNCH.
  3. Set a deployment name for the appliance that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name, the zone, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  4. Select the zone that your project is in.
  5. Select a Machine Type that meets the system requirements for virtual appliances.
  6. Select the network interface that you created.
  7. Set the firewall rules for your appliance that allow ports 22 and 443 only from trusted IP addresses to create an allowlist of IP addresses that can access your QRadar deployment.
    In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  8. Check I accept the GCP Marketplace Terms of Service.
  9. Click Deploy.
  10. Set a static IP address for your appliance.
    1. Click Google Cloud Platform > Compute Engine > VM instances.
    2. Select your appliance from the list.
    3. Click Edit.
    4. Edit the network interface.
      • Set the Internal IP type parameter to Static and reserve a new IP address.
      • Select or create a static External IP address.
    5. Click Done.
  11. When the instance is ready, log in using SSH and your key pair by typing the following command:
    ssh -i <key.pem> cloud-user@<public_IP_address>
  12. Type the following command to check the length of your FQDN:
    hostname -f | wc -c
    If the command returns a value greater than 63 installation will fail. Restart this procedure with a shorter deployment name.
  13. Ensure that there are no more than 2 DNS entries for the instance by typing the following command:
    grep nameserver /etc/resolv.conf | wc -l 
    If the command returns 3 or higher, edit /etc/resolv.conf to remove all but two of the entries before you proceed to the next step. You will add the entries back after installation is complete.
  14. To install the Console type the following command:
    sudo /root/setup_console
  15. Enter a password for the admin account. Set a strong password that meets the following criteria.
    • Contains at least 5 characters
    • Contains no spaces
    • Can include the following special characters: @, #, ^, and *.
  16. Type the following command to restart the host and complete the installation:
    sudo reboot
  17. Become the root user by typing the following command:
    sudo -i
  18. Update the license file to address the issue described in APAR IJ30161 (https://www.ibm.com/support/pages/apar/IJ30161) by typing the following command:
    echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" | tee /opt/qradar/ecs/license.txt /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt /usr/eventgnosis/ecs/license.txt /opt/qradar/conf/templates/ecs_license.txt
    It takes approximately 5 minutes for the changes to complete.
  19. You can ensure automatic updates occur by typing the following command from a command line on the system:
    $ sudo su -
    $ pwck
    $ systemctl start crond.service
    To learn more, see APAR IJ21293 (https://www.ibm.com/support/pages/apar/IJ21293).
  20. Exit the superuser shell by typing the following command:
    exit

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.

The QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see: Receiving QRadar update notifications

The QRadar Autoupdate server has changed since the release of QRadar 7.3.2 to update the auto update settings, see QRadar: Important auto update server changes for administrators (https://www.ibm.com/support/pages/qradar-important-auto-update-server-changes-administrators).

Important: IBM QRadar 7.3.2 has reached End of Support. To ensure that support is available, an upgrade must be performed. For information about upgrading to 7.4.3, see Upgrading QRadar SIEM.