Installing a QRadar data gateway on Amazon Web Services from the marketplace image

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway on an Amazon Web Services (AWS) instance by using the provided Amazon Machine Image (AMI).
It is also applicable for QRadar appliance on AWS GovCloud.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with AWS infrastructure, refer to AWS documentation. If IBM Support determines that your issue is caused by the AWS infrastructure, you must contact Amazon for support to resolve the underlying issue with the AWS infrastructure.

You must use static private and public IP addresses.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

Procedure

  1. Go to IBM Security QRadar SIEM v7.5.0UP8 (BYOL).
  2. Click Continue to Subscribe.
  3. Click Accept Terms.
  4. When the subscription is ready, click Continue to Configuration.
  5. Select a region and click Continue to Launch.
  6. From the Choose Action list, select Launch through EC2.
  7. Click Launch.
  8. Give your instance a name.
  9. Select an EC2 Instance from the following list that meets the minimum system requirements. (T3, T3A, M6i, M6a, M5, M5a, M5zn, C6i, C6a, C5, C5a, C5n, R6i, R5, R5a, R5b, R5n, X2iezn)
    For more information, see QRadar on Cloud onboarding.
  10. Configure or select a key pair. You use this key pair every time you connect to the appliance by using SSH.
  11. Click Edit in the Network settings section.
    1. Select a virtual private cloud (VPC).
    2. Create or select a subnet for your VPC.
    3. Create or select a security group that allows ports 22 and 443 to create an allowlist of trusted IP addresses that can access your QRadar deployment.

      In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.

  12. Navigate to the Configure Storage section
    1. Click Add new volume
    2. Estimate your storage needs and then enter a size in GiB.
      The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, this disk contains the /store and /transient partitions.
      Warning: It is not possible to increase storage after installation.
    3. Select the GP3 volume type of the data disk.
  13. Click Launch Instance
  14. When the instance is ready, log in using your key pair by typing the following command: 
    ssh -i <key.pem> ec2-user@<public_IP_address>
  15. Type the following command: 
    sudo /root/setup 7000
  16. The system prompts you to set a root password. The password must meet the following criteria:
    • Contains at least 5 characters
    • Contains no spaces
    • Includes one or more of the following special characters: @, #, ^, and *.

    You cannot change this password until after the installation process is complete. The root password is also the gateway host password.

  17. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  18. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
  19. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  20. Exit the superuser shell by typing the following command: 
    exit

What to do next

Editing a target processor for your data gateway