Installing QRadar – A SIEM from IBM

Reading Time: 2 minutes

In this segment we are going to talk about installing QRadar. Listen up folks. This is a super awesome tool. The longer I work with this tool the more I love it. It’s great for logging what’s going on in your environment. It’s great for for custom reports. It can be used to send alerts. It has User Behavior Analytics built in to help understand your environment. And I absolutely love using Ariel which is a query language with built in time specific additions to the query language which feel natural and is (relatively) easy to use.

Let’s dive into where it can be found and run through a basic setup. We will talk about logging and reporting in a separate article.

We will need to obtain a Cent ISO, the QRadar ISO. As of the date of this publication QRadar 7.3.1 is available and I will be using Cent 7.6.1810 minimum. Aside: The documentation states you can use RedHat as well. I will work through this using VMware. I would place the Cent and QRadar ISO in a repository for easy reference and installation. We can visit the site.

You will be asked to create an account to download the ISO. You should be able to find a PDF which describes the setup as well.

Bare minimum for install

Cent OS
110 Gb (130 or higher recommended)
Min 2 CPU ( more 6,8 if using Ariel and x-force)
6 GB of memory

It will required 6G of memory and will check.

Go ahead and spin a VMware instance with Cent.

yum install deltarpm
yum install bind-utils ( for nslookup )
yum intall NetworkManager-tui
nmtui

—— [ install ] ——-

edit /etc/selinux/config to disable or system will do it at reboot
sestatus will tell us what’s up

cd /tmp
get iso
sudo mkdir /media/cdrom
sudo mount -o loop /tmp/QRadarCE7_3_1.GA.iso /media/cdrom
su –
cd /media/cdrom
./setup

 

This entry was posted in Logging, Monitoring, QRadar, Security, SIEM. Bookmark the permalink.