Installing QRadar Incident Forensics

Follow these steps to install an IBM® QRadar® Incident Forensics managed host in your QRadar environment.

For stand-alone deployments, install only the QRadar Incident Forensics Standalone component.

For distributed installations, install the QRadar Console on an appliance and install the IBM QRadar Incident Forensics managed host on another appliance.

Before you begin

Ensure that the following requirements are met:

  • The required hardware is installed.
  • A keyboard and monitor are connected using the VGA connection.
  • The activation key and all required license keys are available.

    For more information, see Activation keys and license keys.

  • All appliances in the deployment have the same QRadar software version and fix level.

    Deployments that use different versions of QRadar software are not supported.

Restriction: The following limitations apply to the deployment:
  • Resizing logical volumes by using a logical volume manager (LVM) is not supported.
  • In a high-availability (HA) deployment, you can install multiple QRadar Incident Forensics appliances, but you cannot configure the appliances as an HA cluster. Creating an HA cluster by using appliance type 6000 and type 500 is not supported.


  1. For installations on your own hardware, add the QRadar Incident Forensics ISO image in the root directory.
    1. Create the /media/dvd directory by typing the following command:

      mkdir /media/dvd

    2. Mount the QRadar Console ISO image by typing the following command:

      mount -o loop <QRadar_Incident_Forensics_ISO>/media/dvd

  2. Use the setup script to start the installation.
    1. Change the working directory by typing the command:
      cd /media/dvd
    2. Start the setup script by typing the command:
  3. Follow the instructions in the installation wizard.

    On the Select the Appliance ID page, choose the QRadar Incident Forensics component to install.

    For stand-alone deployments, select 6100 QRadar Incident Forensics Standalone.

    Restriction: The following configuration options are not supported for QRadar Incident Forensics:
    • On the Choose the type of setup page, the HA Recovery Setup option is not supported.
    • On the Select if you want to use bonded interface configuration mode page, the Use bonded interface configuration mode option is not supported.

    If you install the QRadar Incident Forensics Processor, the installation process might take several minutes.

  4. Apply your license key.
    1. Log in to QRadar:


      The default user name is admin. The password is the password of the root user account.

    2. Click Login.
    3. On the navigation menu ( Navigation menu icon ), click Admin.
    4. Click System Configuration.
    5. Click the System and License Management icon.
    6. From the Display list box, select Licenses, and upload you license key.
    7. Select the unallocated license and click Allocate System to License.
    8. From the list of licenses, select the appropriate license, and click Allocate License to System.

What to do next

Deploy the QRadar Incident Forensics managed host. For more information, see Adding a QRadar Incident Forensics managed host to QRadar Console.