IBM QRadar Community Edition is a free version of QRadar that is based off of IBM core enterprise SIEM. Users, students, security professionals, and app developers are encouraged to download QRadar Community Edition to learn and become familiar with QRadar.
This version (7.3.1) is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use.
As the official documentation is very optimistic and short-spoken, moreover the install script is a bit outdated, the installation of this product is not as straight forward as it should.
As I mentioned in my previous article a real SIEM solution may need a lot of resources. QRadar needs huge amount of hardware resources for sure. Even if the CE version needs significant less, it would certainly not run on an RPI. Not even on an weak/old desktop.
If you want to use QRadar in a real environment, you may need much more planning, definietly more reading, and significant Linux administration experience!
- CentOS / RedHat 7.5
- 6Gb of RAM
+ 8Gb swap according to the install guide. However 6Gb seems fine in practice.
- 2 CPU Cores
- 80 Gb disk space
The install guide say 130Gb, however the setup checkig for 80Gb.
And thes are the very minimum. That means you will need this even for a test installation. If you start using it it will surely need much more RAM, more CPU, and a lot more disk space too.
It is wise to install it in a Virtual Machine. In this case you can easily go back to a safe state by using snapshots, and easy to move your appliance to another hardware.
No, a container (like docker) is not suitable for QRadar CE deployment.
Virtual Machine preparation
I’m not going into more details in this article, because there are a lot of choice of virtualization technologies, and several use case you can chose from.
IBM prepared a Vargant file – which may help to prepare a VirtualBox environment.
I prefer VMware, so I have used VMware Workstation, and ESXi servers for this project. To make it compatible with both product, you need to create a custom VM, with 14.x hardware compatibility.
You really need to provide those minimum system requirements to this VM, and a virtual CD drive, and an internet connected network connection too. I’m highly suggest to remove any other virtual hardware components, as you will surely not need them, and they may causing trouble later.
Base OS Installation
- In case of a test installation, you may start with a new, minimal CentOS 7 installation, using the default options. Don’t poke with the custom partitioning at this time, unless you really know what you do.
Beware that sometimes the professionals making silly mistakes too. Like Jose Bravo did with the swap sizes ;) Do not follow him about this.
- You will only need the root user, don’t bother with “normal” user creation. Because of this, I will assume every command in this example executed with root privileges.
- After the minimal install, you should update your system:
# yum update
After this, you will end up with CentOS 7.6, no matter which install image you started with. Officially only the 7.5 version is supported, but technically it will works with a simple hack. I have choose to continue this way.
If you want to hold back on 7.5, then skip this step, and go your own way, by enabling only the C7.5.1804 reositories (hint: CentOS-Vault.repo)
- Then install the vmware-tools:
# yum install open-vm-tools
This step is optional, and only makes sense in case of VMware.
- Stop your VM, and create a snapshot at this point. It will save you a lot of time, in case if you need to start over!
QRadar CE Installation
I’m highly suggest to set a static IP and provide an FQDN before you start the QRadar CE installation. If you haven’t prepared these during the CentOS install, do it now. These settings gonna be set in stone after you have installed QRadar.
The install script will fail without these hacks:
- As QRadar installer checks for a hard-coded OS version, and the CentOS 7.6 are come out later than the QRadar CE iso has built, so you need to fake it.
# sed -i 's/7\.6\.1810/7\.5\.1804/' /etc/redhat-release && cat /etc/redhat-release
Skip this step if you have holding back your system on version 7.5
- As QRadar is a complex set of services, and it will not work if SELINUX enabled.
# sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && cat /etc/selinux/config
- The install script may fail if finds an IPV6 address, so you’re better off disable it:
# echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
- As both of the customization above would need a reboot to take effect, reboot now:
- Attach the QRadar CE iso image to your VM, then mount it:
# mount /dev/cdrom /media/
- Than start the install script:
# cd /media/ # ./setup
The setup will install a LOT of additional packages. Hope the best, and take a break. It will takes some time…
- If the install process finished successfully, then you need to reset the admin password:
# /opt/qradar/support/changePasswd.sh -a
- Then restart the tomcat service:
# systemctl restart tomcat
- And finally power off your system:
- Then create a snapshot at this point, as you have a working QRadar CE Appliance :)
- boot up your appliance, and start using it.
Even if the OS itself will boot up very quickly, QRadar needs some time (few minutes) to start up. Be patient. The best indicator if you can access the QRadar Console via web browser:
https://<ip_address or FQDN>/console
(Yes, you will get a big fat warning because of the self signed certificate)
After a successful installation, your CentOS turned into a QRadar appliance! From this point, you should manage it accordingly!
If something went wrong
Then you probably end up with a broken system. It is not worth to try to continue from this stage, because you will very likely fail to do so. You are better off:
- Read the logs.
- Try to figure out what’s went wrong, and fix it.
- Make sure you have set up your VM properly.
- Read and/or ask in forums.
- Restart from a previous snapshot/clone.
As I’m currently working for IBM, please read my disclaimer.