After downloading the SysFlow installation package, use an SSH client to complete the
installation.
About this task
Installing SysFlow uses Kubernetes operator to process, and then the operator uses custom
resources to manage SysFlow agent and associated components.
Installing will deploy operator pod first and then apply custom resources. After the custom
resources are created, the operator will automatically deploy SysFlow agent pods to all worker nodes
in the cluster. During the installation process,the Kubernetes cluster will download container
images from the Internet.
Procedure
- Use an SSH client to log in to the master node of your Kubernetes cluster.
- Create and switch to the namespace for SysFlow deployment.
kubectl create namespace sysflow
kubectl config set-context --current --namespace=sysflow
- Extract the SysFlow installation package.
- Direct to the root folder sf-operator of the extracted installation
package, and then go to the /scripts/run directory.
- Deploy the operator on your QRadar Console.
- Run the following command.
./applyCR.sh <syslog_host> <syslog_port> [tcp|udp|tls]
Table 1. Description of the applyCR.sh file format
| File format part |
Description |
| syslog_host |
The IP address of the QRadar Console. |
| syslog_port |
The port number configured for the designated log source. |
| tcp|udp|tls |
SysFlow 1.0.0 supports UDP, TCP, and TLS. |
Note: Following is an example of the command to connect to a QRadar Console on 9.30.255.39 using
port number of 5143 with TLS protocol.
./applyCR.sh 9.30.255.39 5143 tls
- Optional: To remove currently deployed container objects, you can run a
clean-up script.
- Apply custom resources in your OpenShift or Kubernetes cluster. After applying the custom
resources, the operator will automatically deploy SysFlow agent pods to all worker nodes in the
cluster.