IBM Support

QRadar: Installation screen reference

How To


Summary

This article provides screen captures of the installation and initial configuration of QRadar.

Objective

The purpose of this article is to provide a visual reference for admins undergoing the initial installation and configuration of a QRadar® appliance. Review of the IBM QRadar Installation Guide is a prerequisite to installing QRadar, and can be used as a reference for any issues during the installation process.
Important: This screen reference is designed to serve as a visual aid only. Some details are included to help clarify the status of the installation at various stages of the process.

Environment

The following images were captured during the installation of QRadar® 7.5.0 GA from a mounted ISO file in a VMWare® environment. The same steps apply to other QRadar versions. Some differences such as network interfaces names might be seen installing QRadar in other environments.
This article covers the complete installation of QRadar, which includes Red Hat Enterprise Linux, from the QRadar ISO file. This type of installation is known as Appliance Installations.
There is no manual partitioning or manual installation of Red Hat presented in this article. QRadar installations in cloud-based platforms (IBM Cloud, AWS, Azure, and so on) are also not represented here. Refer to the following resources for software and cloud installations:

QRadar Software Installations
IMPORTANT: It is not recommended to install QRadar with an ISO mounted remotely through an IMM/iDRAC/XCC/VMRC. Depending on bandwidth, copying files from a remotely mounted ISO can significantly increase the time it takes to install QRadar. It is recommended to install locally by using a bootable USB flash drive. Refer to the QRadar Installation Guide for further details.

Steps

Initial Installation

  1. When the system boots from of the mounted installation ISO you see a list of options. The first option initiates a normal installation. The Red Hat Enterprise Linux (RHEL) operating system is installed first. A temporary environment is created in this phase to facilitate the installation of RHEL and QRadar:

    1 rhel install grub
     
  2. This message appears prompting to press the ENTER key. If left unpressed, the installation is still initiated automatically:

    2 rhel install begin
     
  3. The setup of the installation environment continues in a tmux terminal, marked by the appearance of a navigation menu. This terminal uses multiple sessions and can be used to navigate to the shell and view log output if needed:

    3 rhel install starting
     
  4. Various system checks occur at this stage. The setup of the installation environment, including some disk provisioning and rpm package installation, takes place:

    4 rhel inst pkg
     
  5. A number of packages are installed:

    5 rhel inst pkg
     
  6. When you see "Running post-installation scripts", the system is taking a full copy of the mounted ISO and saving it to /mnt/sysimage/730/product.iso. This process could take several minutes since QRadar ISO files are several gigabytes in size.

    6 post rhel inst
  7. When the ISO file is fully copied to the local disk, the system completes this phase and reboots. From here the QRadar installation continues by using the locally copied product.iso file, so the mounted ISO file is no longer needed. The system boots from the local disk, which begins with this grub menu. No action is needed. The proper menu selection is made after a short timer expires:

    9 first reboot
  8. Similar to the initial setup of the installation environment, various checks are done after the first reboot. It is here that the QRadar disk partitions and volumes are configured:

    10 setup install
     
  9. A number of RPM packages are installed:

    11 pkg install
     
  10. The installer runs post-installation scripts now that the permanent QRadar RHEL environment is installed. There is no copying of files from a mounted ISO or USB media, so it is not expected to hang here for long:

    12 post inst script
  11. The post installation scripts complete, another reboot takes place. You can allow the grub timer to expire and automatically select the first option in the menu:

    13 2nd reboot
     
  12. After the first grub page, you see another list of boot options. The timer runs out selecting the first option here as well:

    14 2nd grub
     
  13. Several more RPMs are installed:

    15 more rpm inst
     
  14. The RPMs are installed from the local repository, which comes from the product.iso. There are no external repositories expected to be configured on any QRadar system:

    16 more rpms
     
  15. After RPM installation and checks complete, the installer configures and populates the Postgresql database:

    17 post rpm db setup
     
  16. It takes several minutes to apply database updates:

    18 db setup
     
  17. Some services begin starting while the database is being set up. The installation takes several minutes and could appear to hang. Allow the process to continue:

    19 db setup will hang here
     
  18. After the database is set up and various services start, you get a login prompt. The RHEL OS and QRadar installations are complete and the configuration phase comes next. Type "root" and press enter to continue with setting up the appliance:

    20 ready to config
     
  19. You now see the license agreement. Scroll to the end to accept or decline the agreement:

    21 eula
     
  20. After you accept the license agreement, you are presented with appliance configuration options. The wizard takes you through configuration of the appliance type, hostname, location, and network details. See the Initial Configuration section of this article for more details:

    22 choose type

Initial Configuration

After the initial installation phase you configure the appliance type, hostname, location, and network details. Expand the sections relevant to your installation.
 

Appliance and Software installs

  1. The wizard is virtually the same for both Appliance Install and Software Install options. The following set of images are taken from an appliance installation, though you can expect the same screens for software installs.

    Select Appliance Install and either press the Enter key or use the Tab key to highlight Next and press the Enter key to get to the next screen of the wizard:

    22 choose type
     
  2. You are presented with a list of appliance options. The available choices are populated according to the host's total CPU, RAM, and disk size. If the host doesn't meet system requirements for a particular appliance, that appliance type is not listed as an option. See the following documentation for more details:

    System requirements for virtual appliances
    Prerequisites for installing QRadar on your hardware

    choose appliance
     
  3. Choose either a normal setup or HA recovery setup. See the HA Recovery section of this article for more details on that procedure. In this example the Normal Setup (default) option is selected:

    norm or recovery
     
  4. Enter the current date and time. You can also enter NTP server details (optional), which is only used on QRadar console hosts. A managed host receives time updates from the QRadar console after it is added to the deployment:

    time
     
  5. Select the continent appropriate to the time zone:

    continent
     
  6. Choose the appropriate city or region for the time zone:

    timezone
     
  7. Choose ipv4 or ipv6. NIC bonding options are also presented here. See the separate IPv6 and NIC Bonding sections in this article for more details on those options. In this example ipv4 is selected with no bonding:

    ip setup
     
  8. Choose the interface you want to act as the management interface:

    management int
     
  9. Enter the valid network details for the appliance, including a fully qualified domain name in the Hostname field. Do not populate the Public IP field unless QRadar NAT Groups are needed:

    net config

    See the Post Network Configuration section of this article for next steps.
     

High Availability Appliance

  1. Use the arrow key and the space bar to select High Availability Appliance. This appliance type is reserved for setting up a high availability secondary host. See the High Availability guide and FAQ for more details:

    IBM QRadar 7.5.0 High Availability Guide
    QRadar: High Availability FAQ

    ha appliance
     
  2. HA Appliance (All Models) 500 is the only option:

    1 500
     
  3. Choose the appropriate definition for the HA secondary host:

    2 con or no
     
  4. Choose either a normal setup or HA recovery setup. In this example, the Normal Setup (default) option is chosen. See the HA Recovery section of this article for more details on that procedure:

    norm or recov
     
  5. Enter the current date and time. An HA secondary host does not need an NTP server configured, it gets time updates from the primary host or the console when added to the QRadar environment:

    time
     
  6. Select the continent appropriate to the time zone:

    continent
     
  7. Choose the appropriate city or region for the time zone:

    timezone
     
  8. Choose ipv4 or ipv6. NIC bonding options are also presented here. See the separate IPv6 and NIC Bonding sections in this article for more details. In this example ipv4 is selected with no bonding:

    ip
     
  9. Choose the interface you want to act as the management interface. In HA setups, the interface used for the secondary host's management interface must be the same interface name configured on the primary:

    interface
     
  10. Enter the valid network details for the appliance, including a fully qualified domain name in the Hostname field. Do not populate the Public IP field. The host name is automatically updated when the secondary is attached to the primary, there is no need to specify in the host name that it's the secondary:

    net config

    See the Post Network Configuration section of this article for next steps.
     

App Host Appliance

  1. Use the arrow key and the space bar to select App Host Appliance:

    appliance select
     
  2. App Host 4000 is the only option:

    apphost
     
  3. Choose either a normal setup or HA recovery setup. In this example, the Normal Setup (default) option is chosen. See the HA Recovery section of this article for more details on that procedure:

    norm or recov
     
  4. Select the continent appropriate to the time zone:

    continent
     
  5. Choose the appropriate city or region for the time zone:

    timezone
     
  6. Choose ipv4 or ipv6. NIC bonding options are also presented here. See the separate IPv6 and NIC Bonding sections of this article for more details. In this example ipv4 is selected with no bonding:

    ip
     
  7. Choose the interface you want to act as the management interface:

    interface
     
  8. Enter the valid network details for the appliance, including a fully qualified domain name in the Hostname field. Do not populate the Public IP field:

    network config

    See the Post Network Configuration section of this article for next steps.
     

Data Gateway Appliance

  1. Use the arrow key and the space bar to select Data Gateway Appliance:

    dg appliance
     
  2. Event Collector Gateway 7000 is the only option:

    dg 7k
     
  3. As of QRadar 7.5.0 high availability is not supported for Data Gateway appliances, so there is no scenario where HA recovery is needed. Ensure Normal Setup (default) is selected:

    norm or recover
     
  4. Select the continent appropriate to the time zone:

    continent
     
  5. Choose the appropriate city or region for the time zone:

    timezone
     
  6. Choose ipv4 or ipv6. NIC bonding options are also presented here. See the IPv6 and NIC Bonding sections of this article for more details. In this example ipv4 is selected with no bonding:

    ip
     
  7. Choose the interface you want to act as the management interface:

    interface
     
  8. Enter the valid network details for the appliance, including a fully qualified domain name in the Hostname field. Do not populate the Public IP field:

    network

    See the Post Network Configuration section of this article for next steps.
     

HA recovery

  1. The following are screens in the wizard unique to setting up an HA recovery host. These screens look the same regardless of the appliance type chosen. For screen captures of the other steps in the wizard, see the section in this article associated with the selected appliance.

    Following selection of the appliance type, select the HA Recovery Setup option:

    1 norm or recovery
     
  2. After you go through the time zone and interface configuration screens, you are prompted to enter the HA virtual IP address:

    2 VIP

    The Network Information Setup section of the wizard follows. See image 9 in the Appliance and Software Installs section for an example.
     

NIC bonding

  1. The following are screens in the wizard unique to setting up NIC bonding. These screens look the same regardless of the appliance type chosen. For screen captures of the other steps in the wizard, see the section in this article associated with the selected appliance.

    Following selection of the appliance type and configuring time zone details, select Yes under Choose interface configuration mode:

    1 bond
     
  2. Use the arrow key and space bar to select 2 or more interfaces intended to act as the bonded interface. The Bonding options field is configured according to your organization's network configuration:

    2 bond config

    For more information about NIC bonding, see QRadar: Network Bonding options in QRadar.

IPv6

  1. The following are screens in the wizard unique to setting up IPv6. These screens look the same regardless of the appliance type chosen. For screen captures of the other steps in the wizard, see the section in this article associated with the selected appliance.

    For IPv6 configurations, use the arrow key and space bar to select ipv6. Select either manual or auto, which depends on your organization's network configuration. If auto is selected, a static IP address with a CIDR range is generated with the Neighbor Discovery Protocol:

    1 ipv6
     
  2. If manual is selected, you are presented with the following fields. You must use a static IP address with a CIDR range:

    2 ipv6 manual
     

Post Network Configuration

  1. After network information is submitted, you see this message indicating validation is underway:

    1 post config
     
  2. If it's a console installation, you are prompted to enter a new admin password for access to the QRadar web interface:

    2 New admin
     
  3. You are prompted to enter a new root password for the host:

    3 new root
     
  4. The installer continues applying the configuration:

    4 post password
     
  5. When you see "Applying template Enterprise", expect this stage to take several minutes:

    5 post pass will hang
     
  6. This screen marks the end of the installation and configuration of the appliance. It is now ready for use:

    6 end
     
 
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, Red Hat OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"}]

Document Information

Modified date:
14 December 2022

UID

ibm16833570