Configuring a Console on IBM Cloud VPC

Configure an IBM QRadar SIEM Console on an IBM Cloud® VPC Server instance by using the IBM Cloud VPC image on Fix Central.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with IBM Cloud VPC infrastructure, refer to IBM Cloud VPC documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud VPC infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

About this task

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in IBM Cloud (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_hosted_IBM_Cloud_VPC.html).

You must use static IP addresses.

If you deploy a managed host and a Console in the same virtual network, use the private IP address of the managed host to add it to the Console.

If you deploy a managed host and a Console in different virtual networks, you must allow firewall rules for the communication between the Console and the managed host. For more information, see QRadar port usage.

Procedure

  1. Download the .qcow2 image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar®+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.3-CMP-IBMCloudVPC-CONSOLE-QRADAR-20220329114452.
    3. Download the .qcow2 and .sig files.
      The .qcow2 file download can take several hours.
    4. Use the .sig file to verify the integrity of the .qcow2 file.
  2. Upload the .qcow2 image file.
    1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket in step 3.
    2. Upload the .qcow2 file.
      The upload can take up to an hour. Do not rename the .qcow2 file. Renaming the file causes the import to fail.
  3. Import the .qcow2 file.
    1. In IBM Cloud, click Navigation Menu > VPC Infrastructure > Custom images.
    2. Click Create.
    3. Enter a name for the image and select a Resource group for the image to belong to.
    4. Set the Source to Cloud Object Storage.
    5. Select the Cloud Object Storage service instance, the location that is used by your storage bucket, your storage bucket, and the .qcow2 file that you uploaded.
      Note: If you want to import your image into multiple regions, you will have to repeat step 2 and create a new storage bucket in each desired region.
    6. Set the Operating system to Red Hat Enterprise Linux, and set the Version to red-7-amd64-byol.
    7. Click Create custom image.
      The import can take up to 10 minutes.
  4. After the image status is Available, create the instance.
    1. Click Navigation Menu > VPC Infrastructure > Virtual Server Instances.
    2. Click Create +.
    3. Set the Architecture to Intel.
    4. Set the Hosting type to Public.
    5. Set the location to the same region that you imported your image to in step 3.
    6. Give your instance a name that doesn't exceed 57 characters.
      The name can contain only alphanumeric characters and the - symbol.
    7. Select a Resource group for the instance.
    8. If you would like an easier way to identify your instance, enter a tag for your instance.
    9. Set the Operating system to Custom image.
      The Select custom image window appears.
    10. Choose the image that you imported in step 3, then click Select.
    11. Click View all profiles.
      The Select an instance profile window appears.
    12. Select a profile that meets the system requirements for virtual appliances, then click Save.
      Important: Instances that use Instance storage are not supported.
    13. Select or create an SSH key pair.
      You need an SSH key pair to access the instance by using SSH.
    14. In the Data volumes section, click Create +.
    15. Enter a Name for the second disk.
    16. Estimate your storage needs and enter a size for the second disk in GB.
      The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

      When the installation is complete, this disk contains the /store and /transient partitions.

      Warning: You cannot increase storage after installation.
    17. Select a profile, set the IOPS, and click Create.
    18. Select a Virtual private cloud.
    19. In the Network interfaces section, click the Edit icon next to eth0.
    20. Leave the interface set to eth0 and select a Subnet.
    21. Set Reserving method to Let me specify and select a reserved private IP address from your subnet.
      This IP address will be the private IP address associated with your instance.
    22. Select a security group that allows ports 22 and 443 only from trusted IP addresses, then click Save.
      In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
    23. Click Create Virtual Server.
  5. When the instance status says Running, assign a floating IP address to your instance.
    1. Click on the instance that you created.
    2. In the Network interfaces section, click the Edit icon next to eth0.
    3. Select an IP address or Reserve a new floating IP from the Floating IP address dropdown, then click Save.
  6. Install the Console and set the admin password.
    1. When the floating IP address is assigned, log in by typing the following command:
      ssh -i <private_key> cloud-user@<public_IP_address>
    2. To install the Console, type the following command:
      sudo /root/setup_console
    3. Enter a password for the admin account. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
    You can access your IBM QRadar SIEM Console by going to https://<fixed_IP_address> and logging in as the admin user.

What to do next

The QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see: Receiving QRadar update notifications