Configuring an App Host in Oracle Cloud

Configure an IBM QRadar SIEM App Host on an Oracle Cloud instance by using the Oracle Cloud image on Fix Central.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM Support. If you experience any problems with Oracle Cloud infrastructure, refer to Oracle Cloud documentation. If IBM Support determines that your issue is caused by the Oracle Cloud infrastructure, you must contact Oracle Cloud for support to resolve the underlying issue with the Oracle Cloud infrastructure.

About this task

If you are installing a data gateway for QRadar on Cloud, go to installing a QRadar® data gateway in Oracle Cloud.

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

Do not make any configuration changes, such as adding extra DNS entries, until after QRadar installation is complete.

If you deploy a managed host and a Console in the same virtual network, use the private IP address of the managed host to add it to the Console.

If you deploy a managed host and a Console in different virtual networks, you must allow firewall rules for the communication between the Console and the managed host. For more information, see QRadar port usage.

Procedure

  1. Download the image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM®%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.1-CMP-OracleCloud-APPHOST-QRADAR-20220811114721.
    3. Download the image and .sig files.
      The image file download can take several hours.
    4. Use the .sig file to verify the integrity of the image file.
  2. Upload the image file.
    1. Go to Oracle Cloud (https://www.oracle.com/ca-en/cloud/) and create a new storage bucket.
    2. Upload the file.
      The upload can take up to an hour. Do not rename the image file. Renaming the file causes the import to fail.
  3. Import the image.
    1. In Oracle Cloud, click Navigation Menu > Compute > Custom images.
    2. Select a Compartment.
    3. Click Import Image.
    4. Enter a name for the image.
    5. Select Linux as the Operating system.
    6. Select Import from an Object Storage Bucket.
    7. Select the bucket that the image file was uploaded to in step 2.
    8. Select the image file that was uploaded in step 2.
    9. Select OCI for the image type.
    10. Click Import Image.
  4. When the image is created, click Create Instance.
  5. Give your instance a name that is no longer than 58 characters. The name can contain only alphanumeric characters and the - symbol.
  6. Select a compartment for the instance.
  7. Select an availability domain for the instance.
  8. Select a shape that meets the minimum system requirements.
    1. Click Change Shape.
    2. Click Virtual machine as the Instance type.
    3. Select any shape from the AMD, Intel, or Specialty and previous generation shape series that meets the system requirements for virtual appliances.
      Important: Instances that contain extra storage drives are not supported.

      For more information, see the IBM QRadar Installation Guide.

  9. Configure networking for the instance.
    1. Select a virtual cloud network compartment.
    2. Select a virtual cloud network.
    3. Select a subnet.
    4. Select Assign a public IPv4 address.
    5. Under Show Advanced Options check Use network security groups to control traffic.
    6. Select a security group that allows port 22, and port 443 for a QRadar Console, to create an allowlist of trusted IP addresses that can access your QRadar deployment. In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers that are used by QRadar.
  10. Add or generate an SSH key pair.

    You need an SSH key pair to access the instance by using SSH. For more information, see connecting to your instance.

  11. Click Create.
  12. Add a second disk to your instance for storage.
    1. Go to Navigation Menu > Storage > Block Volumes and click Create Block Volume.
    2. Name the volume and enter a size in GB.
      The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, this disk contains the /store and /transient partitions.
      Warning: It is not possible to increase storage after installation.
    3. Select the same compartment that your instance was created in.
    4. Click Create Block Volume.
    5. Go to Navigation Menu > Compute > Instances and select your instance.
    6. Click Attached Block Volumes.
    7. Click Attach Block Volume.
    8. Select your block volume from the drop-down menu, then select Paravirtualized as the attachment type.
    9. Click Attach.
  13. When the instance is ready, log in using the private key from your key pair.
    ssh -i <private_key_file> cloud-user@<public_IP_address>
  14. Type the following command to install the app host:
    sudo /root/setup_apphost
  15. When prompted to set the root password, set a strong password that meets the following criteria:
    • Contains at least 5 characters.
    • Contains no spaces.
    • Includes one or more of the following special characters: @, #, ^, and *.
  16. Add the host to your deployment in QRadar.
    1. On the navigation menu, click Admin.
    2. In the System Configuration section, click System and License Management.
    3. In the Display list, select Systems.
    4. On the Deployment Actions menu, click Add Host.
    5. Configure the settings for the host by providing the private IP address, and the root password to access the operating system shell on the appliance.
    6. Click Add.
    7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
    8. On the Admin tab, click Advanced > Deploy Full Configuration.
      Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
  17. Change where your apps are run in QRadar.
    1. On the System and License Management screen, click the Click to change where apps run link.
    2. Click App Host to transfer apps to the App Host.
      Note: The more apps and app data you have, the longer the transfer takes.

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.