Configuring a Console on IBM Cloud

Configure an IBM QRadar SIEM Console on an IBM Cloud® instance by using the IBM Cloud image on Fix Central.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with IBM Cloud infrastructure, refer to IBM Cloud documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

About this task

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in IBM Cloud (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_hosted_IBM_Cloud.html).

Procedure

  1. Download the .vhd image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar®+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.1-CMP-IBMCloud-CONSOLE-QRADAR-20200716115107.
    3. Download the .vhd and .sig files.
      The .vhd file download can take several hours.
  2. Upload the .vhd image file.
    1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket, and the IBM Cloud API Key for your storage bucket, in step 3.
    2. Upload the .vhd file.
      The upload can take up to an hour. Do not rename the .vhd file. Renaming the file causes the import to fail.
  3. Import the .vhd image.
    1. In IBM Cloud, click Navigation Menu () > Classic Infrastructure > Manage > Images.
    2. Click Import custom image.
    3. Enter a name for the image and the IBM Cloud API Key for your storage bucket.
    4. Select the Cloud Object Storage service instance, the location that is used by your storage bucket, your storage bucket, and the .vhd file that you uploaded.
    5. Select RedHat EL 7.0 minimal (64-bit).
    6. From the Boot mode menu, select Hardware Virtual Machine (HVM).
    7. Check Your license and Cloud-init.
    8. Click Import image.
      The import can take up to 15 minutes.
  4. Configure network settings and create the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Manage > Images.
    2. In the Visibility menu, select Private images and find the image that you uploaded.
    3. Click Actions menu () > Order Public VSI.
    4. Select the Public Multi-tenant virtual server type.
    5. Enter a hostname and domain. The combined character count of the hostname and domain cannot exceed 64 characters.
    6. Select a data center location.
    7. Select a profile that meets the system requirements for virtual appliances.
      Important: Profiles from the Balanced local storage family are not supported.
    8. Select an SSH key if you have one. Otherwise, select None.
    9. Choose an uplink port speed under Public & Private network uplinks.
      You can choose to deploy either a public machine or a private machine.
      • Public machines have a public IP address and a private IP address, and they are accessible from the internet.
      • Private machines have only a private IP address, and can only be accessed within the same network, or through a routing solution of your own choosing.
    10. Select allow_all and allow_outbound for a private security group. If you are deploying a public machine, select allow_all and allow_outbound for a public security group too.
      In a QRadar deployment with multiple appliances, many ports must be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar. Restrict ports that are not needed by using a firewall or other technology that allows you to restrict ports.
    11. Accept the third-party service agreements and click Create.
    The Devices screen loads. In a few minutes, a date appears in the Start Date field.
  5. After the instance has a Start Date, configure storage for the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, click Order Portable Storage.
    3. Select the same Region, Location, and Zone for your portable storage that your instance is in.
    4. Enter a description for your portable storage.
    5. Estimate your storage needs and enter a size for the second disk in GB.
      The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

      When the installation is complete, this disk contains the /store and /transient partitions.

      Warning: You cannot increase storage after installation.
    6. Accept the service agreement and click Create.
  6. Attach storage to your instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, find the disk that you created and click Actions menu () > Attach.
    3. Find the instance that you created and click Attach.
    4. Accept the warning that the virtual server will be shut off during disk attachment and click Attach.
    The second disk is added and the instance restarts. This process takes several minutes.
  7. Install the Console and set the admin password.
    1. When the instance is ready, log in by typing the following command:
      ssh root@<public_IP_address>

      If you are not using an SSH key, you are prompted to enter the root password. This password is provided in your instance details.

      If you deployed a private-only Console, you will not be able to SSH directly to the Console. You must first connect to a router that allows access to the Console.

    2. To install the Console, type the following command:
      sudo /root/setup_console
    3. Enter a password for the admin account. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
    4. Become the root user by typing the following command:
      sudo -i
    5. Update the license file to address the issue described in APAR IJ30161 (https://www.ibm.com/support/pages/apar/IJ30161) by typing the following command:
      echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" | tee /opt/qradar/ecs/license.txt /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt /usr/eventgnosis/ecs/license.txt /opt/qradar/conf/templates/ecs_license.txt
      It takes approximately 5 minutes for the changes to complete.
    6. Restart your instance by typing the following command:
      reboot
    You can access your IBM QRadar SIEM Console by going to https://<public_IP_address> and logging in as the admin user.

    For a private-only Console, you will need to use the public IP address configured in your routing solution in order to access the Console.

    If you will be attaching any managed hosts to your Console that are not in the same network as the Console, you must configure a Network Address Translation (NAT) group .
    1. On the Admin tab, click System & License Management.
    2. Select your Console.
    3. On the Deployment Actions menu, click Edit Host.
    4. Select the Network Address Translation check box.
    5. Select or create a NAT group for the Console. Provide the routed public IP address for the Console and click Save.
    6. On the Admin tab, click Advanced > Deploy Full Configuration.

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.

The QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see: Receiving QRadar update notifications