Friday, January 13, 2017

Building an IBM QRadar Console in AWS (For version 7.2.7)

Special thanks to Naomi Rampersad for this entry.

Building an IBM QRadar Console in AWS
(For version 7.2.7)
1.    Configure a key pair on AWS.
2.    Create an Amazon EC2 instance that meets the following requirements:
Image = RHEL-6.7_HVM_Beta-20150430-x86_64-1-Hourly2-GP2, found in Community AMIs
Instance type = m4.2xlarge
Storage    Three disks:
1 x 250 GB volume
2 x 200 GB volumes
Security Group = Your IP addresses from the list, with ports 22 and 443 open.
Create an elastic IP


The AWS instance key is required to log in to the instance with SSH.
XFS is not supported on the RedHat Enterprise Linux (RHEL) v6.7 loads that are provided by AWS. Use ext4.
Important: High availability (HA) is not supported on AWS QRadar installations.

1.    To log in to the AWS instance by using the key pair that you created when you configured the instance, type the following command or use Putty.
ssh -I <your_key>.pem ec2-user@<public_IP_address>
2.    Enter the root shell of the AWS instance by using the following command:
sudo su -
3.    Determine the device that you want to configure:
Type the lsblk command to list device details.
# lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0  250G  0 disk
└─xvda1 202:1    0  250G  0 part /
xvdb    202:16   0    200G  0 disk
xvdc    202:32   0    200G  0 disk 
Find the device that has no partitions and has the required storage.
After you find the block devices, export the device name and device data as environment variables for use in subsequent steps. For the preceding example, you type the following commands:
export device_name=/dev/xvdc
export device_data=/dev/xvdb
4.    To create the partition type for the disk (label), type the following commands:
parted -a optimal --script ${device_name} -- mklabel gpt
parted -a optimal --script ${device_data} -- mklabel gpt
5.    To create these partitions on the device, type the following commands:
Note: The following allocations are examples.
parted -a optimal --script ${device_name} -- mkpart swap 0% 30%
parted -a optimal --script ${device_name} -- mkpart ext4 30% 60%
parted -a optimal --script ${device_name} -- mkpart ext4 60% 100%
parted -a optimal --script ${device_data} -- mkpart ext4 0% 80%
parted -a optimal --script ${device_data} -- mkpart ext4 80% 100%
6.    To create the following file systems on the partitioned device, type the following commands:
mkswap -L swap1 ${device_name}1
mkfs.ext4 ${device_name}2
mkfs.ext4 ${device_name}3
mkfs.ext4 ${device_data}1
mkfs.ext4 ${device_data}2
7.    Label the partitions with the following names:
e2label ${device_name}2 /var/log
e2label ${device_name}3 /store/tmp
e2label ${device_data}2 /store/transient
e2label ${device_data}1 /store
8.    In the /etc/fstab file, comment out the /dev/<device_name> /mnt, or /dev/<device_data> /mnt lines if they are present.
9.    Type the following commands to add the required entries to /etc/fstab file:
eval `blkid -t LABEL=/store -o export` ; echo UUID=$UUID $LABEL $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/store/transient -o export` ; echo UUID=$UUID /store/transient $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/var/log -o export` ; echo UUID=$UUID $LABEL $TYPE defaults,noatime 1 1 >> /etc/fstab
eval `blkid -t LABEL=/store/tmp -o export` ; echo UUID=$UUID /store/tmp $TYPE defaults,noatime 1 1 >> /etc/fstab
echo "${device_name}1 swap swap defaults 0 0" >> /etc/fstab
10.    To create and mount the /store directory, type the following commands:
mkdir /store
mount /store
mkdir /store/tmp
mount /store/tmp
mkdir /store/transient
mount /store/transient
cd /var; mv log oldlog; mkdir log; mount /var/log; mv oldlog/* log
11.    To enable the swap between devices, type the following command:
swapon -a
12.    Confirm that the /etc/sysconfig/i18n line contains the following string, including the quotation marks:
LANG="en_US.UTF-8"
13.    To copy the ISO image to the device, type the following command or use WinSCP:
scp -i <key.pem qradar.iso> ec2-user@<Public_DNS>:qradar.iso
Important: Use SQ_SIEM_SWO7.2.7RHELML.iso image (Red Hat Linux version only)
14.    To mount the ISO image, type the following commands at the root directory:
mkdir /media/cdrom
mount -o loop /home/ec2-user/qradar.iso /media/cdrom
15.    Configure missing dependencies by using the following commands:
yum  install -y libxml2 libxml2.i686 audit-libs audit-libs.i686 glibc glibc.i686 device-mapper-multipath zlib zlib.i686 libcom_err libcom_err.i686 nspr nspr.i686 nss nss.i686 nss-util nss-util.i686 krb5-libs krb5-libs.i686 keyutils-libs keyutils-libs.i686 openssl   openssl.i686 httpd-tools httpd-devel httpd mod_ssl keyutils keyutils.i686 keyutils-libs keyutils-libs.i686 openldap openldap.i686 openldap-clients cyrus-sasl-lib cyrus-sasl-lib.i686 pam pam.i686 libgcc libgcc.i686 elfutils-libelf  elfutils-libelf.i686 libstdc++   libstdc++.i686

yum remove php.x86_64 php-cli.x86_64 php-common.x86_64 php-devel.x86_64 php-imap.x86_64 samba-common samba-winbind-clients samba-client samba-winbind httpd httpd-tools mod_ssl

sed -i -e "s/plugins=1/plugins=0/" /etc/yum.conf
16.    To start the setup program, type the following command:
/media/cdrom/setup
17.    Type Y when prompted to accept an installation on unsupported hardware.
18.    Follow the prompts and complete the QRadar installation wizard.

Restore a Configuration to the AWS Built IBM QRadar Console
(The IP address is different)
1.    Ensure the version and patch level is the same.
2.    Take an On Demand Backup on the original Console.
3.    Using SCP, copy the configuration backup file to /store/backupHost/inbound of the new Console.
4.    Ensure the hostname on the AWS Console is the same as the original is the same by using qchange_netsetup.
5.    Log in to the AWS QRadar Console as an administrator.
6.    Click the Admin tab and select the Backup and Recovery icon.
7.    Select the configuration backup you copied to the Console and click Restore.
8.    From the restore options list, select the Select All Configuration Items check box.
9.    From the restore options list, select the Select All Data Items check box.
10.    Click Restore to start the configuration restore process.
11.    From the Admin tab, click the Deploy Changes icon.
12.    Verify that event or flow sources that were reporting to the original host are being processed in the QRadar user interface.

5 comments:

  1. Hi,
    Thanks for such a nice document.
    But I have a query. I was going through the 7.2.8 Qradar install guide and saw this pre-requisite for AWS EC2 instance. Do we need to use the same M4 instance for all Qradar installation types i.e Console, Ep etc.
    As per my information EP instance will require higher VCPU as compared to Console.
    Could you please help me here?

    -Ashish

    ReplyDelete
  2. Hi, may i know what is the device_data and device_name in Step 3 specifying for?

    ReplyDelete
    Replies
    1. Morning Anonymous,
      Here is the response I got from my guru Naomi who wrote this article.

      device_data and device_name are commands to run, this does not change but is equal to whatever volumes you have…
       
      xvdb    202:16   0    200G  0 disk
      xvdc    202:32   0    200G  0 disk 

      Delete
  3. Hi, thanks for the prompt replies! Really appreciate that.

    ReplyDelete
  4. Very detailed and easy-to-follow guide. Thanks!

    ReplyDelete