Installing the SysFlow agent with OpenShift

With OpenShift cluster web console, you can install SysFlow through IBM Operator Catalog.

Before you begin

• Complete Prerequisites for installing SysFlow.
• Complete Installing SysFlow DSM.
• Complete Installing IBM QRadar content extension for SysFlow.
• Log in to the cluster’s web console using a browser.

About this task

Installing SysFlow uses OpenShift operator to process, and then the operator uses custom resources to manage SysFlow agent and associated components.

Installing will deploy operator pod first and then apply custom resources. After the custom resources are created, the operator will automatically deploy SysFlow agent pods to all worker nodes in the cluster. During the installation process, OpenShift cluster will download container images from the Internet.

1. Create the CatalogSource for IBM Operator Catalog. The IBM Operator Catalog is a product offerings catalog that can be accessed on a Red Hat OpenShift 4.X. The catalog can be enabled by applying a YAML file (for example, catalog_source.yam) to the OpenShift cluster.

   apiVersion: operators.coreos.com/v1alpha1
   kind: CatalogSource
   metadata:
     name: ibm-operator-catalog
     namespace: openshift-marketplace
   spec:
     displayName: IBM Operator Catalog
     publisher: IBM
     sourceType: grpc
     image: docker.io/ibmcom/ibm-operator-catalog
     updateStrategy:
       registryPoll:
         interval: 45m
   

2. Run the following command.

   $ oc apply -f catalog_source.yaml -n openshift-marketplace

3. On the OpenShift cluster web console, click Operators > OperatorHub from the navigation menu on the left side of the page, and then select IBM Operator Catalog in Filtering.
4. Open the SysFlow Operator instance, and then click install.
5. Specify the namespace, and then click Subscribe to proceed. To view installation preprocessor, click Operators > Installed Operators from the navigation menu on the left side of the page.
6. When the installation is complete:
   1. Click Operators > Installed Operators from the navigation menu on the left side of the page.
   2. Click SysFlow Operator, and then click YAML View to customize your QRadar connection. Refer to the following table for key-pair definitions.

      Table 1. Description of the SysFlowAgent YAML

      File format part	Description
      syslogHost	The IP address of the QRadar Console.
      syslogPort	The port number configured for the designated log source.
      syslogProto	SysFlow V1.0.0 supports UDP, TCP, and TLS. The regarding values are tcp | udp | tls

   3. The process will take several minutes to complete after customizing the YAML, and then the SysFlow agents will run among all the cluster worker nodes.
7. To view SysFlow agent deployment status:
   1. Click Operators > Installed Operators from the navigation menu on the left side of the page.
   2. Click SysFlow Agent in the Provided APIs column.
   3. Click Resources.