Configuring a QRadar managed host on Google Cloud Platform

Configure an IBM® QRadar® managed host on a Google Cloud Platform (GCP) instance by using the provided image.

Before you begin

Important:

The following procedure is for the configuration of an IBM QRadar 7.3.2 managed host image, which has reached its End of Support. An IBM® QRadar® 7.4.3 managed host image is not yet available. Once the image is installed, it should be upgraded to ensure that support is available. For information about upgrading to 7.4.3, see Upgrading QRadar SIEM.

You must acquire entitlement to a QRadar Software Node for any QRadar instance that is deployed from a third-party cloud marketplace. Entitlement to the software node should be in place before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM Support. If you experience any problems with GCP infrastructure, refer to GCP documentation. If IBM Support determines that your issue is caused by the GCP infrastructure, you must contact GCP for support to resolve the underlying issue with the GCP infrastructure.

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in Google Cloud Platform (https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_gcp_image.html).

Create a project name that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name followed by -vm, the zone, the region, the project name, and .internal.
For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.
In the project that you created in step 1, configure your network interface.
1. Click Google Cloud Platform > VPC network > VPC networks.
  _{©2019 Google LLC, used with
  permission. Google and the Google logo are registered trademarks of Google LLC.}
2. Click CREATE VPC NETWORK.
3. Give your network a name, and configure the settings as needed. Set DNS server policy to No server policy.
4. Click Create.
Add an SSH key to the project if you haven't already done so. The key must be created for a user called cloud-user.
1. Click Google Cloud Platform > Compute Engine > Metadata.
  _{©2019 Google LLC, used with permission. Google and
  the Google logo are registered trademarks of Google LLC.}
2. Click SSH Keys.
3. Click Edit.
4. Click Add item.
5. Enter an SSH key, followed by cloud-user.
6. Click Save.

Procedure

Go to QRadar Security Intelligence Platform Managed Host v7.3.2 P1 (https://console.cloud.google.com/marketplace/details/ibm-security-public/qradar-mh?q=IBM%20qradar&id=19dda1c2-9483-4ddc-a7bf-43e5e0d2fc01).
Click LAUNCH.
Set a deployment name for the appliance that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name, the zone, the project name, and .internal.

For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.
Select the zone that your project is in.
Select a Machine Type that meets the system requirements for virtual appliances.
Select the network interface that you created.
Set the firewall rules for your appliance that allow ports 22 and 443 only from trusted IP addresses to create an allowlist of IP addresses that can access your QRadar deployment.
In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
Check I accept the GCP Marketplace Terms of Service.
Click Deploy.
Set a static IP address for your appliance.
1. Click Google Cloud Platform > Compute Engine > VM instances.
2. Select your appliance from the list.
3. Click Edit.
4. Edit the network interface.
  - Set the Internal IP type parameter to Static and reserve a new IP address.
  - Select or create a static External IP address.
5. Click Done.
When the instance is ready, log in using SSH and your key pair by typing the following command:
```
ssh -i <key.pem> cloud-user@<public_IP_address>
```
Type the following command to check the length of your FQDN:
```
hostname -f | wc -c
```
If the command returns a value greater than 63 installation will fail. Restart this procedure with a shorter deployment name.

Type the following command for the virtual appliance that you're installing:

sudo /root/setup_mh <appliance_type_id>

For example, to deploy an Event Collector type the following command:

sudo /root/setup_mh 1599

You can install the following managed host appliance types:

Table 1. Appliance types
Appliance type ID	Appliance type
1299	Flow Collector
1400	Data Node
1599	Event Collector
1699	Event Processor
1799	Flow Processor
1899	Event and Flow Processor

The system prompts you to set the root password. Set a strong password that meets the following criteria.
- Contains at least 5 characters
- Contains no spaces
- Can include the following special characters: @, #, ^, and *.
Type the following command to restart the host and complete the installation:
```
sudo reboot
```
Become the root user by typing the following command:
```
sudo -i
```

Update the license file to address the issue described in APAR IJ30161 (https://www.ibm.com/support/pages/apar/IJ30161) by typing the following command:

echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" | tee /opt/qradar/ecs/license.txt /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt /usr/eventgnosis/ecs/license.txt /opt/qradar/conf/templates/ecs_license.txt

Exit the superuser shell by typing the following command:
```
exit
```
Add the host to your deployment in QRadar.
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System and License Management.
3. In the Display list, select Systems.
4. On the Deployment Actions menu, click Add Host.
5. Configure the settings for the managed host by providing a static IP address, and the root password to access the operating system shell on the appliance.
6. Click Add.
7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
8. On the Admin tab, click Advanced > Deploy Full Configuration.
  
  Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

What to do next

Important: IBM QRadar 7.3.2 has reached End of Support. To ensure that support is available, an upgrade must be performed. For information about upgrading to 7.4.3, see Upgrading QRadar SIEM.