Overview
This is a guide to setup IBM QRadar Community Edition SIEM on VMware Workstation.
IBM Qradar is a security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors. It also provides real-time monitoring, alerting, and offense management.
I use VMware® Workstation 17 Pro (17.0.0 build-20800274) and QRadar CE ISO (QRadarCE733GA_v1_0.ova).
Software Requirements:
Hardware requirements:
- Memory minimum requirements: 8 GB RAM or 10 GB w/applications
- Disk space minimum: 250 GB
- CPU: 2 cores (minimum) or 6 cores (recommended)
- One network adapter with access to the Internet is required
- A static public and private IP addresses is required for QRadar Community Edition
- The assigned hostname must be a fully qualified domain name
Steps
1. Open VMware Workstation
2. Click File > Open
3. Select QRadar CE ISO (QRadarCE733GA_v1_0.ova) and click Open
4. Name the VM and select the location to save the VM, then click Import
5. Wait for the import to complete then click Memory under Devices
6. Set the memory to 8 GB or 10 GB
Note: If installation fails, try increasing the memory to 10 GB or more.
7. Set the Processors to 2 cores (minimum) or 6 cores (recommended)
I set it to 4 cores.
8. Set the Network Adapter from Bridged to NAT
In VMware, the Bridged and NAT network adapter modes serve different purposes. Bridged mode allows the virtual machine (VM) to directly access the physical network as if it were a separate physical machine, receiving its own IP address and behaving as an independent device on the network. On the other hand, NAT (Network Address Translation) mode creates a private network within the host machine, allowing the VM to share the host’s network connection. VMs in NAT mode use the host’s IP address for external communication and are isolated from the external network, making them suitable for scenarios where the VMs need internet access but don’t require direct interaction with external network devices.
For example, If you are in a Cafe and your VMs is not connected to the internet, try changing the Network Adapter from Bridged to NAT. This will allow your VMs to share the host’s network connection.
Docs: VMware Bridged vs NAT vs Host-Only Network
9. When you are done with the settings, click Power on this virtual machine
10. Wait for the VM to boot up, and then login with the root user and create a new password
Note: Don’t forget the password you set. You will need it later to login to the VM. Also, in linux when you type your password, it won’t show anything. Just type it and press enter.
11. Set the QRadar network settings to use IPv4 only
Type nmtui to open the Network Manager
Wait for the NetworkManager TUI to open. Then select Edit a connection and press Enter
Then select Edit using the arrow key and press Enter
Set the IPv6 configuration to Ignore and press Enter
So that it looks like this
Then select OK and press Enter
12. Set the QRadar hostname
After setting the network settings, back to the main menu and select Set system hostname and press Enter
Then type the hostname you want to use. For example qradar.yourname.com and choose OK then press Enter
Docs: Recommended practices for hostname creation
13. Reactivate the network settings
After setting the hostname, back to the main menu and select Activate a connection and press Enter
Select the network interface and press Enter
Press Enter 2x in Deactivate option.
14. Select Quit > OK and press Enter to save the changes
15. Type ls -l to see the files in the current directory and type ./setup to start the setup
16. Accept the license agreement
Press Enter to accept the license agreement
Press Space to scroll down
and type q to accept the license agreement
Then press Enter to continue
17. Type Y to install the QRadar CE
Wait for the installation to complete. This will take a while. Approximately 30 minutes to 1 hour or more. Depends on your internet connection and your computer specs.
Mine took around 40 minutes to complete.
Rig:
- CPU: Ryzen 5 4600H (6 cores, 12 threads)
- RAM: 16 GB (8GB dual channel)
18. Set the password for the admin user to login to the QRadar CE web interface
Type the password you want to use and press Enter
Note: Don’t forget the password you set. You will need it later to login to the QRadar CE web interface. The password can be same as the VMs root password.
19. Type ip addr or ip a to see the IP address of the VM
Under the ens33 interface, you will see the IP address of the VM. In my case, it’s 192.168.211.129
Note: The IP address of the VM will be different for everyone.
20. After we get the IP address, we can now SSH to the VM
You can use PuTTY , Windows Terminal , Windows Subsystem for Linux (WSL) , MobaXterm or any other SSH client you want.
In my case, I use Termius .
- Open Termius and click New Host
- Set the hostname to the IP address of the VM which is
192.168.211.129and set the username torootand type the password you set earlier. You can also set the VM details if you want. In Termius you can set labels, groups, and tags to your VMs.
- Connect to the VM
You can use the Quick Connect button to connect to the VM without having to type the IP address, username, and password.
- Accept the fingerprint
Click Add and continue
- You are now connected to the VM
21. Check the Tomcat service status
Type systemctl status tomcat to check the Tomcat service status
Docs:
22. Run this following command to update the QRadar CE
In the IBM QRadar CE ISO, there is a bug that prevents the QRadar CE from updating. QRadar developers has recently identified a defect in the product licensing function, which may cause the deployment to stop functioning. We need to run this following command.
More info: UPDATED: A QRadar deploy changes on 31 December 2020 can impact product functionality
Copy and paste this command to the VM and press Enter
if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi
Command break down
This is a complex shell command written in Bash scripting language. Let’s break down what it does step by step:
if [ -f /opt/qradar/ecs/license.txt ] ; then ... ; fi:- This part of the command checks if a file named
license.txtexists in the directory/opt/qradar/ecs/. - If the file exists, the subsequent command enclosed by
thenandfiis executed.
- This part of the command checks if a file named
echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt:- If the file
/opt/qradar/ecs/license.txtexists, this command overwrites the contents of that file with the given text: “QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20”. - The
-nflag withechois used to suppress the trailing newline character, so the text is written without a newline at the end.
- If the file
The same logic is repeated for several other paths, checking for the existence of license.txt files and overwriting their contents if they exist. The paths being checked are as follows:
/opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt/opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt/opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt/usr/eventgnosis/ecs/license.txt/opt/qradar/conf/templates/ecs_license.txt
In each case, if the respective license.txt file exists, it’s overwritten with the same text: “QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20”.
This command seems to be updating license files for different components or services, ensuring that they all have the same license information. The provided information appears to be related to QRadar, likely a license key or information related to a software product.
23. Open the QRadar CE web interface in your browser
Open your browser and type the IP address of the VM. In my case, it’s https://192.168.211.129
Note: Don’t forget to use
https://instead ofhttp://because the QRadar CE web interface uses HTTPS.
- Click Advanced… and click Accept the Risk and Continue
- Login with the username
adminand the password you set earlier
- Accept the EULA
24. Configure the Flow Sources
- Click the hamburger menu icon in the top left corner of the QRadar Console.
- Click Admin
- Scroll down and click Flow Sources
- Click Add
- Wait for the form to load and set the Flow Source Name to
qradar_networkand set the Flow Source Type toNetwork Interfaceand click Save
- So that it looks like this
25. Deploy the changes
- Back to the admin page and click Deploy Changes
- Click Continue if you are sure you want to deploy the changes
and wait for the changes to be deployed. This will take a while. Approximately 2-5 minutes or more.
26. Check the Network Activity tab, and if there are any logs, it means the QRadar CE is working
- Log Activity
Network Activity
Congratulations! You have successfully setup IBM QRadar CE on VMware Workstation
References:
- https://www.ibm.com/community/qradar/ce/
- https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_siem_inst.pdf
- https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_qradar_system_notifications.pdf
- https://www.ibm.com/community/qradar/wp-content/uploads/sites/5/2020/03/QRadar_CE_Under_the_Radar_21Feb.pdf
- https://www.ibm.com/docs/en/qradar-on-cloud?topic=support-common-problems
- https://www.ibm.com/docs/en/qsip
- http://ftpmirror.your.org/pub/misc/ftp.software.ibm.com/software/security/products/qradar/documents/7.2.4/QLM/EN/b_qradar_system_notifications.pdf
- Tutorial: QRadar CE SIEM - Installation and Configuration (Complete Steps) by Semi Yulianto
- Guide/learning material from Infinite Learning HCAI Program (I can’t share the material/content directly, because it’s confidential and belong to Infinite Learning and IBM Academy)