IBM QRadar Installation

Installing Qradar is a straightforward process, but sometimes complications can arise. For instance, In the latest CentOS release, there seems to be a repository missing. This guide is best suited for those who have already installed CentOS7 and have the QRadar ISO file ready to go but have run into some issues.

Scouring the internet and its various forums, I found a great guide that seemed to resolve my issues. Here are the steps I used and hopefully they can help you, should you run into the same roadblocks as I did.

(OPTIONAL)  SELinux has to be disabled. This can be done manually or during the installation process, but it will require a reboot of the machine. This can be done with the command

sed i ‘s/^SELINUX=.*/SELINUX=disabled/g’ /etc/selinux/config && cat /etc/selinux/config

Let’s begin.

Assuming you downloaded the QRadar ISO file and have it ready to go. You simply ssh into your CentOS host as I have and transfer the QRadar ISO file. You can use whichever program you feel most comfortable with. I personally use Bitvise as it has both remote desktop capabilities and a built-in FTP client. Once that is done and transferred. Make sure the Qradar ISO file in the /tmp/ folder. You can do this with the “ls” command. Using the wildcard symbol to bring up all files in that folder with the name “Qradar”.

ls QRadar* 

Now go into your /tmp/ folder. You can do this with the command:

cd /tmp/

Mount the ISO file to the /media/ folder using the command:

sudo mount <qradar install name> /media/

If you followed along with the official documentation, it would tell you this was all that was needed and you can begin to install QRadar. If you do this step it will cancel the installation due to missing repositories and you will not be able to redo the installation without having to reinstall CentOS or reverting back to an earlier snapshot if using a VM.

CentOS 7 is missing the GlusterFS repository. We are going to install it manually using the command:

yum install /media/cdrom/3rdparty/glusterfs/*.rpm

Now let’s install the “kmod-pf_ring-6.2.0-2.el7.x86_64.rpm” repo using the “–nodeps” flag indicating that we do not want to verify package dependencies. Using the command:

rpm -Uvh /media/cdrom/3rdparty/pf_ring/kmod-pf_ring-6.2.0-2.el7.x86_64.rpm –nodeps

After it is installed, then we will edit the contents inside the “CentOS-Gluster-3.8.repo”. I personally use nano, but you are free to use whichever editor you prefer. Edit the contents using the command:

sudo <editor name> /etc/yum.repos.d/CentOS-Gluster-3.8.repo

insert the following:

## CentOS-Gluster-3.8.repo
#
#Please see http://wiki.centos.org/SpecialInterestGroup/Storage for more information

[centosgluster38]
name=CentOS$releasever Gluster 3.8
baseurl=http://buildlogs.centos.org/centos/$releasever/storage/$basearch/gluster-3.8/
gpgcheck=0
enabled=0

[centos-gluster38-test]
name=Centos-$releasever – Gluster 3.8 Testing 
baseurl=http://buildlogs.centos.org/centos/$releasever/storage/$basearch/gluster-3.8/
gpgcheck=0
enabled=1

Once the file is saved, it is time to update. You can see that the GlusterFS repository has been added. This can be done using the command:

yum update

After everything is updated, it is time for the final step. The installation! If you skipped the optional step, then you will be forced to reboot the machine. Which in turn will unmount your QRadar ISO file. If this happens, do not fret. Use the above step to remount the ISO file and then just begin the initialization process. This can be done with the following:

/media/setup

That’s it! The QRadar installation process should start.