Friday, January 13, 2017

Building an IBM QRadar Console in AWS (For version 7.2.7)

Special thanks to Naomi Rampersad for this entry.

Building an IBM QRadar Console in AWS
(For version 7.2.7)
1.    Configure a key pair on AWS.
2.    Create an Amazon EC2 instance that meets the following requirements:
Image = RHEL-6.7_HVM_Beta-20150430-x86_64-1-Hourly2-GP2, found in Community AMIs
Instance type = m4.2xlarge
Storage    Three disks:
1 x 250 GB volume
2 x 200 GB volumes
Security Group = Your IP addresses from the list, with ports 22 and 443 open.
Create an elastic IP

The AWS instance key is required to log in to the instance with SSH.
XFS is not supported on the RedHat Enterprise Linux (RHEL) v6.7 loads that are provided by AWS. Use ext4.
Important: High availability (HA) is not supported on AWS QRadar installations.

1.    To log in to the AWS instance by using the key pair that you created when you configured the instance, type the following command or use Putty.
ssh -I <your_key>.pem ec2-user@<public_IP_address>
2.    Enter the root shell of the AWS instance by using the following command:
sudo su -
3.    Determine the device that you want to configure:
Type the lsblk command to list device details.
# lsblk
xvda    202:0    0  250G  0 disk
└─xvda1 202:1    0  250G  0 part /
xvdb    202:16   0    200G  0 disk
xvdc    202:32   0    200G  0 disk 
Find the device that has no partitions and has the required storage.
After you find the block devices, export the device name and device data as environment variables for use in subsequent steps. For the preceding example, you type the following commands:
export device_name=/dev/xvdc
export device_data=/dev/xvdb
4.    To create the partition type for the disk (label), type the following commands:
parted -a optimal --script ${device_name} -- mklabel gpt
parted -a optimal --script ${device_data} -- mklabel gpt
5.    To create these partitions on the device, type the following commands:
Note: The following allocations are examples.
parted -a optimal --script ${device_name} -- mkpart swap 0% 30%
parted -a optimal --script ${device_name} -- mkpart ext4 30% 60%
parted -a optimal --script ${device_name} -- mkpart ext4 60% 100%
parted -a optimal --script ${device_data} -- mkpart ext4 0% 80%
parted -a optimal --script ${device_data} -- mkpart ext4 80% 100%
6.    To create the following file systems on the partitioned device, type the following commands:
mkswap -L swap1 ${device_name}1
mkfs.ext4 ${device_name}2
mkfs.ext4 ${device_name}3
mkfs.ext4 ${device_data}1
mkfs.ext4 ${device_data}2
7.    Label the partitions with the following names:
e2label ${device_name}2 /var/log
e2label ${device_name}3 /store/tmp
e2label ${device_data}2 /store/transient
e2label ${device_data}1 /store
8.    In the /etc/fstab file, comment out the /dev/<device_name> /mnt, or /dev/<device_data> /mnt lines if they are present.
9.    Type the following commands to add the required entries to /etc/fstab file:
eval `blkid -t LABEL=/store -o export` ; echo UUID=$UUID $LABEL $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/store/transient -o export` ; echo UUID=$UUID /store/transient $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/var/log -o export` ; echo UUID=$UUID $LABEL $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/store/tmp -o export` ; echo UUID=$UUID /store/tmp $TYPE defaults,noatime 1 1 >> /etc/fstab
echo "${device_name}1 swap swap defaults 0 0" >> /etc/fstab
10.    To create and mount the /store directory, type the following commands:
mkdir /store
mount /store
mkdir /store/tmp
mount /store/tmp
mkdir /store/transient
mount /store/transient
cd /var; mv log oldlog; mkdir log; mount /var/log; mv oldlog/* log
11.    To enable the swap between devices, type the following command:
swapon -a
12.    Confirm that the /etc/sysconfig/i18n line contains the following string, including the quotation marks:
13.    To copy the ISO image to the device, type the following command or use WinSCP:
scp -i <key.pem qradar.iso> ec2-user@<Public_DNS>:qradar.iso
Important: Use SQ_SIEM_SWO7.2.7RHELML.iso image (Red Hat Linux version only)
14.    To mount the ISO image, type the following commands at the root directory:
mkdir /media/cdrom
mount -o loop /home/ec2-user/qradar.iso /media/cdrom
15.    Configure missing dependencies by using the following commands:
yum  install -y libxml2 libxml2.i686 audit-libs audit-libs.i686 glibc glibc.i686 device-mapper-multipath zlib zlib.i686 libcom_err libcom_err.i686 nspr nspr.i686 nss nss.i686 nss-util nss-util.i686 krb5-libs krb5-libs.i686 keyutils-libs keyutils-libs.i686 openssl   openssl.i686 httpd-tools httpd-devel httpd mod_ssl keyutils keyutils.i686 keyutils-libs keyutils-libs.i686 openldap openldap.i686 openldap-clients cyrus-sasl-lib cyrus-sasl-lib.i686 pam pam.i686 libgcc libgcc.i686 elfutils-libelf  elfutils-libelf.i686 libstdc++   libstdc++.i686

yum remove php.x86_64 php-cli.x86_64 php-common.x86_64 php-devel.x86_64 php-imap.x86_64 samba-common samba-winbind-clients samba-client samba-winbind httpd httpd-tools mod_ssl

sed -i -e "s/plugins=1/plugins=0/" /etc/yum.conf
16.    To start the setup program, type the following command:
17.    Type Y when prompted to accept an installation on unsupported hardware.
18.    Follow the prompts and complete the QRadar installation wizard.

Restore a Configuration to the AWS Built IBM QRadar Console
(The IP address is different)
1.    Ensure the version and patch level is the same.
2.    Take an On Demand Backup on the original Console.
3.    Using SCP, copy the configuration backup file to /store/backupHost/inbound of the new Console.
4.    Ensure the hostname on the AWS Console is the same as the original is the same by using qchange_netsetup.
5.    Log in to the AWS QRadar Console as an administrator.
6.    Click the Admin tab and select the Backup and Recovery icon.
7.    Select the configuration backup you copied to the Console and click Restore.
8.    From the restore options list, select the Select All Configuration Items check box.
9.    From the restore options list, select the Select All Data Items check box.
10.    Click Restore to start the configuration restore process.
11.    From the Admin tab, click the Deploy Changes icon.
12.    Verify that event or flow sources that were reporting to the original host are being processed in the QRadar user interface.


  1. Hi,
    Thanks for such a nice document.
    But I have a query. I was going through the 7.2.8 Qradar install guide and saw this pre-requisite for AWS EC2 instance. Do we need to use the same M4 instance for all Qradar installation types i.e Console, Ep etc.
    As per my information EP instance will require higher VCPU as compared to Console.
    Could you please help me here?


  2. Thank you so much for sharing this worth able content with us. The concept taken here will be useful for my future programs and i will surely implement them in my study. Keep blogging article like this.

    Aws Online Training

  3. This comment has been removed by a blog administrator.

  4. Hi, may i know what is the device_data and device_name in Step 3 specifying for?

    1. Morning Anonymous,
      Here is the response I got from my guru Naomi who wrote this article.

      device_data and device_name are commands to run, this does not change but is equal to whatever volumes you have…
      xvdb    202:16   0    200G  0 disk
      xvdc    202:32   0    200G  0 disk 

  5. Hi, thanks for the prompt replies! Really appreciate that.

  6. Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..
    Android Training in Chennai
    Ios Training in Chennai

  7. I feel really happy to have seen your webpage and look forward to so
    many more entertaining times reading here. Thanks once more for all
    the details.

    AWS Training in Bangalore

    AWS Training in Bangalore

  8. I really enjoy the blog.Much thanks again. Really Great AWS Online course

  9. Amazon Web Services (AWS) is the most popular and most widely used Infrastructure as a Service (IaaS) cloud in the world.AWS has four core feature buckets—Compute, Storage & Content Delivery, Databases, and Networking. At a high level, you can control all of these with extensive administrative controls accessible via a secure Web client.For more information visit.
    aws online training
    aws training in hyderabad
    aws online training in hyderabad

  10. Amazon has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.For more information visit.
    aws online training
    aws training in hyderabad
    aws online training in hyderabad

  11. Have you played blackjack for a long time and won? Come to us and try yourself in a super game and win. good online casino slot games Take the winnings constantly and without restrictions.

  12. We are a part of the success story for many of our customer's successful cloud Migrations.
    Cloud Migration services

    Aws Cloud Migration services

    Azure Cloud Migration services

  13. Thank you for the informative post about Security challenges in AWS , Found it useful . cloud migration services have now become secured and with no-risk
    Vmware Cloud Migration services

    Database Migration services

  14. I am really impressed with the way of writing of this blog. The author has shared the info in a crisp and short way.
    Lia Infraservices

  15. We are a part of the success story for many of our customer's successful cloud Migrations.
    Cloud Migration services

    Best Cloud Migration Tool