Configuring a managed host on IBM Cloud

Configure an IBM QRadar managed host on an IBM Cloud instance by using the provided IBM Cloud image.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with IBM Cloud® infrastructure, refer to IBM Cloud documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

About this task

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in IBM Cloud (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_hosted_IBM_Cloud.html).

Procedure

  1. Download the .vhd image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar®+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Choose a public managed host or a private managed host.
      • For a public managed host, click 7.4.1-CMP-IBMCloud-MANAGEDHOST-QRADAR-20200716115107. Public hosts have a public IP address and a private IP address. You must use the public IP address to attach this host to the Console in step 7 d.
      • For a private managed host, click 7.4.1-CMP-IBMCloud-MANAGEDHOST-PRIVATE-QRADAR-QRSIEM-20200716115107. Private hosts have only a private IP address, and can only be accessed within the same network, or through a routing solution of your own choosing. You will need both the routed public IP address and the private IP address to attach this host to your Console in step 7 d.
    3. Download the .vhd and .sig files.
      The .vhd file download can take several hours.
  2. Upload the .vhd image file.
    1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket, and the IBM Cloud API Key for your storage bucket, in step 3.
    2. Upload the .vhd file.
      The upload can take up to an hour. Do not rename the .vhd file. Renaming the file causes the import to fail.
  3. Configure network settings and create the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Manage > Images.
    2. In the Visibility menu, select Private images and find the image that you uploaded.
      For a public managed host, you must choose the public managed host image. For a private managed host, you must choose the private managed host image.
    3. Click Actions menu () > Order Public VSI.
    4. Select the Public Multi-tenant virtual server type.
    5. Enter a hostname and domain. The combined character count of the hostname and domain cannot exceed 64 characters.
    6. Select a data center location.
    7. Select a profile that meets the system requirements for virtual appliances.
      Important: Profiles from the Balanced local storage family are not supported.
    8. Select an SSH key if you have one. Otherwise, select None.
    9. Choose an uplink port speed under Public & Private network uplinks.
      You can choose to deploy either a public machine or a private machine. The network configuration of this host must match your Console. If your Console is public, this host must also be public. If your Console is private, this host must also be private.
      • Public machines have a public IP address and a private IP address, and they are accessible from the internet. You must use the public IP address to attach this host to your Console.
      • Private machines have only a private IP address, and can only be accessed within the same network, or through a routing solution of your own choosing.
    10. Select allow_all and allow_outbound for a private security group. If you are deploying a public machine, select allow_all and allow_outbound for a public security group too.
      In a QRadar deployment with multiple appliances, many ports must be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar. Restrict ports that are not needed by using a firewall or other technology that allows you to restrict ports.
    11. Accept the third-party service agreements and click Create.
    The Devices screen loads. In a few minutes, a date appears in the Start Date field.
  4. After the instance has a Start Date, configure storage for the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, click Order Portable Storage.
    3. Select the same Region, Location, and Zone for your portable storage that your instance is in.
    4. Enter a description for your portable storage.
    5. Estimate your storage needs and enter a size for the second disk in GB.
      The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

      When the installation is complete, this disk contains the /store and /transient partitions.

      Warning: You cannot increase storage after installation.
    6. Accept the service agreement and click Create.
  5. Attach storage to your instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, find the disk that you created and click Actions menu () > Attach.
    3. Find the instance that you created and click Attach.
    4. Accept the warning that the virtual server will be shut off during disk attachment and click Attach.
    The second disk is added and the instance restarts. This process takes several minutes.
  6. Install the managed host and set the admin password.
    1. When the instance is ready, log in by typing the following command:
      ssh root@<public_IP_address>

      If you are not using an SSH key, you are prompted to enter the root password. This password is provided in your instance details.

      If you deployed a private-only host, you will not be able to SSH directly to the host. You must first connect to a router that allows access to the host.

    2. Type the following command for the managed host that you're installing:
      sudo /root/setup_mh <appliance_type_id>

      For example, to deploy an Event Collector type the following command:

      sudo /root/setup_mh 1599

      You can install the following managed host appliance types:

      Table 1. Appliance types
      Appliance type ID Appliance type
      1299 Flow Collector
      1400 Data Node
      1599 Event Collector
      1699 Event Processor
      1799 Flow Processor
      1899 Event and Flow Processor
    3. The system prompts you to set the root password. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
    4. Update the license file to address the issue described in APAR IJ30161 (https://www.ibm.com/support/pages/apar/IJ30161) by typing the following command:
      echo -n “QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20” | tee /opt/qradar/ecs/license.txt /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt /usr/eventgnosis/ecs/license.txt /opt/qradar/conf/templates/ecs_license.txt
      It takes approximately 5 minutes for the changes to complete.
    5. Restart your instance by typing the following command:
      reboot
  7. Add the host to your deployment in QRadar.
    1. On the navigation menu ( Navigation menu icon ), click Admin.
    2. In the System Configuration section, click System and License Management.
    3. In the Display list, select Systems.
    4. On the Deployment Actions menu, click Add Host.
    5. Configure the settings for the host by providing the public IP address, and the root password to access the operating system shell on the appliance.
      • For a public host, provide the public IP address, and the root password to access the operating system shell on the appliance.
      • For a private host, provide the private IP address and the root password. If your host is in a different network from your Console, select NAT. Select or create a NAT group for non-Consoles and provide the public IP address that you routed to the host.
    6. Click Add.
    7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
    8. On the Admin tab, click Advanced > Deploy Full Configuration.
      Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.

The QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see: Receiving QRadar update notifications