V0.1a - pfh - 2017/11/26
QRadar CE download site: https://developer.ibm.com/qradar/ce/
Jose Bravo's Video tutorials:
CentOS install: https://www.youtube.com/watch?v=FLMPFH9HgRM
QRadar CE install: https://www.youtube.com/watch?v=i-qA3-b6_ME
QRadar support forum: https://developer.ibm.com/answers/topics/qradarce/
Installing QRadar 7.3.0 on AWS: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/t_Cloud_Install_Qradar_AWS.html
Log into AWS Console and Click on 'Launch Instance'
Select the 'AWS Marketplace'
In the search bar, type 'centos 7 minimal' and hit Enter
Select the 'CentOS 7 (x86_64) - with updates HVM' AMI
Review the information and select 'Continue'
Select 't2.large' as the Instance Type (this is not free tier eligible)
[I would not recommend anything smaller than a t2.large - but feel free to play]
Select 'Next: Configure Instance Details'
Choose all default values EXCEPT 'Auto-assign Public IP' which must be changed to 'Disable'
[You may be able to play with these options, but make sure that the Public IP is not Auto Assigned]
Select 'Next: Add Storage'
Change the 'Root' volume to 80Gb of General Purpose SSD (GP2), check 'Delete on Termination'
Select 'Add New Volume'
Set the 'EBS' volume /dev/sdb to 100Gb of General Purpose SSD (GP2), check 'Delete on Termination'
[If you want to change these values, don't go any lower.
/dev/sda MUST be at least 78Gb or QRadar will not install.
Using 100Gb for /dev/sdb will leave about 30Gb for the Ariel /store partition on /dev/sdb.
To get more event storage space, it's the /dev/sdb you need to make larger.
You MUST have at least 2 disks]
Select 'Next: Add Tags'
(You can add tags here if you like - I didn't bother)
Select 'Next: Configure Security Group'
Set the name to 'SecGrp - qradarCEaws', add a sensible description. Configure the Rules as shown below:
[Again, you may well wish to setup your Security Group differently - this is what I need for my testing, where all my logs are being replayed from my home machine]
Select 'Review and Launch'
Review the information and select 'Launch'
Create a new Key pair and download them
Save the PEM file on your machine. Follow the AWS guidance for conversion and usage. If using PuTTY on Windows, you'll need to convert it with PuTTYgen to a PPK file.
Select 'Launch Instances'
After this screen spins for a while
Scroll to the bottom and select 'View Instances'
Observe the instance with no Name and no Public DNS (IPv4)
Set a name - e.g. 'qrceaws'
Select 'NETWORK & SECURITY' - 'Elastic IPs' From the left of the screen
Select 'Allocate new address'
Select the new Elastic IP
Select 'Actions' - 'Associate address'
Select the Instance and Private IP to use
Select 'INSTANCES' - 'Instances' from the left
Observe our Instance now has an IP address
Select the Instance
Copy the Public DNS (IPv4) - bottom right - to the clipboard
At this point, you can SSH to the EC2 instance using the keypair saved and the DNS name copied. The userid is 'centos'
I choose to have a small Ubuntu image up on AWS which is storing the ISO and other files, so I don't need to load them up to AWS the whole time. To copy the files across I do the following:
On the centos (QRadarCE) system, find the IP address
Then update the Security Group protecting the Ubuntu system to allow SSH from the IP address returned
Create an SSH keypair
Accept all the defaults, then get the contents of .ssh/id_rsa.pub an stick them into .ssh/authorized_keys on the Ubuntu box
Use SCP to get the files into /tmp on the centos box with something like:
Check the ISO isn't broken
Extract and run the helper - this will reboot the machine
When the system has rebooted, connect to it again and continue
We need to put the CentOS repos back into yum, otherwise QRadar installation will fail
Check all is OK by installing 'screen'
(if you forget this, then the 'setup' script will do it anyway - but it's a good test to check the repos are there and working)
Mount the ISO
Run the setup command
Read and accept the License Agreement
About to install QRadar Community Edition version 220.127.116.1171013140512
Do you wish to continue (Y/[N])?
'Y' and Enter
Installation will scroll past (with some errors visible) for approx. 15 minutes
The next few screens have a 'quirky' user interface. The TAB key is the one to use if in doubt.
Choose 'normal' and Next
Enter an NTP server (strongly recommended) and Next
IMPORTANT ... DO NOT LEAVE THIS ON 'UTC' - it will fail later.
Choose 'GMT' and Next. You _may_ select a real timezone, but that might fail too. There is a post about this on the developerworks forum.
Keep pressing TAB until you get to Next
You do not _need_ to do this here, but (a) it's good practice and (b) if you don't, you'll be forced to change your password on first logon to the GUI.
Enter the password twice and Next
It looks like the same screen is presented again - it isn't. The first one (Admin) is the 'admin' user for logging into the GUI. The second (Root) one is for the system's 'root' user. The Root one defaults to being the same as the admin one, but you can make it different if you like.
This will start installing more stuff - for about 30 minutes, then the system will reboot itself:
To log into the GUI, you'll build the URL like:
https://ec2-35-177-57-157.eu-west-2.compute.amazonaws.com/console, where the bit in the middle is specific to your Elastic IP. You'll need to accept the self-signed certificate.
If you see this:
Then go grab a coffee until it looks like:
Log in with username 'admin' and the password setup above.
As we are running QRadar in an environment it isn't really designed for (I'm assuming you are not going to leave this running 24 x 7 x 365), we can help it out by configuring a few things
Also, some of the defaults are, IMHO, sub-optimal.
Update the default retention bucket so we don't kill ourselves with our tiny disk
'Admin' tab -> 'Data Sources' -> 'Events' -> 'Event Retention'
Select the 'DEFAULT' line and 'Edit'
Update as below and Save
And 'Save' again - then 'Close'
(If you like, do the same for Flows - but we aren't actually setting up flows - so that won't matter)
'Admin' tab -> 'System Configuration' -> 'Auto Update'
Set 'Frequency' to 'Disabled'
Save and close the window
'Admin' tab -> 'System Configuration' -> 'System Settings'
Change to 'Advanced' view
Under 'System Settings' Change 'Coalescing Events' to No
Disable GUI timeouts
Also in System Settings, under 'Authentication Settings' - set the 'Inactivity Timeout' to 0
While we are in 'System Settings' Consider
· Setting up SNMP
· Including headers in CSV exports
· Enabling X-Force Threat Intelligence Feed
Save and close the window
When you see the yellow flash - Deploy Changes
Disable scheduled reports
Select the 'Reports' TAB
Select all reports which are not 'Manual'
Actions -> Toggle Scheduling
Add a test 'linux' log source and test replayed events to it
'Admin' tab -> 'Data Sources' -> 'Events' -> 'Log Sources'
Save, Close Window and Deploy Changes
Now, go to the 'Log Activity' tab:
Check you can see events going past (i.e. things are working)
Then 'Add Filter'
Set as below:
Click 'Add Filter'
The events should stop.
Reselect 'Real Time Streaming' to clear the view
Now, log into the QRadar console via SSH
Observe the event on the Log Activity
Or do the same using CygWin on the Windows machine: