Setting up a QRadar silent installation

Install IBM® QRadar® "silently," or perform an unattended installation.

Before you begin

  • You must have the QRadar ISO for the release that you want to install.

  • Modify the SELINUX value in the /etc/sysconfig/selinux file to SELINUX=disabled, and restart the system.

  • You must install Red Hat Enterprise Linux (RHEL) on the system where you want to install QRadar. For more information, see Installing RHEL on your own appliance. The following table describes the version of Red Hat® Enterprise Linux® used with the IBM QRadar version.

    Table 1. Red Hat version
    IBM QRadar version Red Hat Enterprise Linux version
    IBM QRadar 7.4.0 Red Hat Enterprise Linux V7.6 64-bit
    IBM QRadar 7.4.1 Red Hat Enterprise Linux V7.7 64-bit
    IBM QRadar 7.4.2 Red Hat Enterprise Linux V7.7 64-bit
    IBM QRadar 7.4.3 Red Hat Enterprise Linux V7.7 64-bit

Procedure

  1. As the root user, use SSH to log on to the host where you want to install QRadar.
  2. In the root directory of the host where you want to install QRadar, create a file that is named AUTO_INSTALL_INSTRUCTIONS and contains the following content:
    Table 2. Silent Install File parameters. Parameters that are listed as "Optional" are required in the AUTO_INSTALL_INSTRUCTIONS file, but can have no value.
    Parameter Value Required? Description Permitted values
    force Required Forces the installation of the appliance despite any hardware issues. true or false
    api_auth_token Optional An authorization token. For more information about managing authorized services, see the IBM Security QRadar Administration Guide. Authorization token
    appliance_number Optional The identifier for the appliance 0, 3105, 1201,

    and so on.
    appliance_oem Required Identifies the appliance provider. qradar, forensics, and so on.
    appliance_filter Required The appliance name or identifier. vmware, na
    bonding enabled Required. Specifies whether you are using bonded interfaces. true or false
    bonding

    _interface

    		 If using bonded interfaces, then required. The MAC addresses for the interfaces that you are bonding, separated by commas. <interface_name

    =mac_address>

    , <secondary_interface_name

    =mac_address>
    bonding_

    interface

    _name

    		 If using bonded interfaces, then required. Identifies the bonding interface. bond0
    bonding_options If using bonded interfaces, then required. The Linux options for bonded interfaces. For more information about NIC bonding, see the IBM Security QRadar Administration Guide.
    Example: miimon=100 mode=4 lacp_rate=1
    ha_cluster_

    virtual_ip

    		 Optional Specifies the IP address for the HA cluster. ip_address
    hostname Required The fully qualified host name for your QRadar system.  
    ip_protocol Required The IP protocol for this host.

    ipv4, ipv6
    ip_dns_primary If ip_protocol is set to IPv4, then required The primary DNS server.

    A valid IPv4 address.
    ip_dns_secondary If ip_protocol is set to IPv4, then required The secondary DNS server.

    A valid IPv4 address.
    ip_management

    _interface

    		 Required The interface name, and the MAC address of the management interface. You can use either, or both separated by "=".  
    ipv4_address If ip_protocol is set to IPv4, then required The IP address of the host that you are installing the software on. A valid IPv4 address
    ipv4_address

    _public

    		 If ip_protocol is set to IPv4, and NATed, then required The public IP address of the host that you are installing the software on. A valid IPv4 address
    ipv4_gateway If ip_protocol is set to IPv4, then required The network gateway for this host

    A valid IPv4 address
    ipv4_nework_mask If ip_protocol is set to IPv4, then required The netmask for this host  
    ip_v6_address If ip_protocol is set to IPv6, then required The IPv6 address of the QRadar installation if required.

    A valid IPv6 address
    ip_v6_address

    _public

    		 If ip_protocol is set to IPv6, and NATed, then required The public IP address of the host that you are installing the software on.

    A valid IPv6 address
    ip_v6_autoconf Required Specifies whether IPv6 is autoconfigured. true or false
    ip_v6_gateway Not required Leave empty.  
    is_console Required Specifies whether this host is the console within the deployment

    true - This host is the console in the deployment

    false - This is not the console and is another type of managed host (Event or Flow Processor, and so on)
    is_console

    _standby

    		 Required. Specifies whether this host is an HA console standby true or false
    admin_password Optional. The password for the administrator account. You can encrypt the password if required. If you leave this parameter blank, the password is not updated. <password>
    Important: Your company's security policies can prevent you from entering a password in a static file on the appliance.

    Defined, or leaving the value empty to use a previously entered password on an upgrade.
    root_password Required The password for the root account. You can encrypt the password, if required. If you leave this parameter blank, the password is not updated. <password>
    Important: Your company's security policies can prevent you from entering a password in a static file on the appliance.

    Defined, or leaving the value empty uses a previously entered password on an upgrade.
    security

    _template

    		 If isconsole is set to Y, then required The security template

    This value must be consistent with the value entered in appliance_number.

    Enterprise - for all SIEM-based hosts

    Logger - for Log Manager
    time_current

    _date

    		 Required The current date for this host.

    Use the following format:

    YYYY/MM/DD format

    		  
    time_current

    _time

    		 Required The time for the host in the 24 hour format HH:MM:SS.  
    time_ntp_server Optional The FQHN or IP address of the network time protocol (NTP) server.  
    timezone Required The time zone from the TZ database. For more information, see http://timezonedb.com/.

    Europe/London

    GMT

    America/Montreal

    America/New_York

    America/Los_Angeles

    Asia/Tokyo, and so on.
    type_of_setup Required Specifies the type of installation for this host

    normal- A standard QRadar managed host or console deployment.

    recovery - A High Availability (HA) recovery installation on this host.
    console_host Required for SIOC The name for your IBM QRadar on Cloud system. IP address
    Gateway setup choice Required for SIOC Type True if this appliance is an IBM QRadar on Cloud gateway. Type False if the appliance is not a gateway appliance. true or false
    http_proxy_host Optional The host name of the proxy host for the IBM QRadar on Cloud appliance.  
    http_proxy

    _password

    		 Optional The password for the proxy host for the IBM QRadar on Cloud appliance.  
    http_proxy_port Optional The identifier for the port you connect to on the proxy host for the IBM QRadar on Cloud appliance.  
    http_proxy_user Optional The user name for the proxy host for the IBM QRadar on Cloud appliance.  
    internet_access

    _mode

    		 Required for SIOC The mode that you use to access the IBM QRadar on Cloud appliance direct or proxy
    Example: 
    #0.0.1
ai_force=<true_false>
ai_api_auth_token= <certificate>
ai_appliance_number= <####>
ai_appliance_oem= <qradar_forensics_or_oem>
ai_appliance_filter= <appliance_number_or_identifier>
ai_bonding_enabled= <true_or_false>
ai_bonding_interfaces= <mac_address>
ai_bonding_interface_name= <interface_identifier>
ai_bonding_options= <bonding_option_identifiers>
ai_gateway_setup_choice= <true_or_false>
ai_ha_cluster_virtual_ip= <IP_address>
ai_hostname= <hostname_with_FQDN>
ai_ip_dns_primary= <IP_address_of _primary_DNS>
ai_ip_dns_secondary= <IP_address_of_secondary DNS>
ai_ip_management_interface= <MAC_address>
ai_ip_protocol= <ipv4_or_ipv6>
ai_ip_v4_address= <IP_address>
ai_ip_v4_address_public= <public_IP_address>
ai_ip_v4_gateway= <IP_address_of_gateway>
ai_ip_v4_network_mask= <network_mask>
ai_ip_v6_address= <IPv6_address>
ai_ip_v6_address_public= <IPv6_public_address>
ai_ip_v6_autoconf= <true_false>
ai_ip_v6_gateway= <IP_address>
ai_is_console= <true_or_false>
ai_is_console_standby= <true_or_false>
ai_root_password= <password_for_root_account>
ai_security_template= <enterprise_or_logger>
ai_time_current_date= <yyyy-mm-dd>
ai_time_current_time= <hh:mm:ss>
ai_time_ntp_server= <ntpserver_hostserver>
ai_timezone= <EST_or_PST_or_timezone>
ai_type_of_setup= <normal_or_recovery>
ai_console_host= <IP_address_or_identifier_for_SIOC_7000_host>
ai_http_proxy_host= <SIOC_7000_proxy_hostname>
ai_http_proxy_password= <SIOC_7000_proxy_password>
ai_http_proxy_port= <SIOC_7000_proxy_port>
ai_http_proxy_user= <SIOC_7000_proxy_user_name>
ai_internet_access_mode= <SIOC_7000_direct_or_proxy>

    Replace the configuration settings in the file with ones that are suitable for your environment.

    Important: Ensure that the AUTO_INSTALL_INSTRUCTIONS file has no extension, such as .txt, or .doc. The installation does not succeed if the file has an extension.
  3. Using an SFTP program copy the QRadar ISO to the host where you want to install QRadar.
  4. On the host where you are installing, create a /media/cdrom directory on the host by using the following command: 
    mkdir /media/cdrom
  5. Mount the QRadar ISO by using the following command: 
    mount -o loop <qradar.iso> /media/cdrom
  6. Run the QRadar setup by using the following command: 
    /media/cdrom/setup
  7. Open the End User License Agreement (EULA) at /media/cdrom/EULA.txt and review.
  8. To agree to the EULA, add --accept-eula to the /media/cdrom/setup command.
    When you add --accept-eula, you bypass the EULA prompt.