Configure an App host in Microsoft Azure by
using the provided image.
Before you begin
Important:
The following procedure is for the configuration of an IBM®
QRadar® 7.3.3 App Host image,
which has reached its End of Support. An IBM® QRadar® 7.4.3 App Host image is not yet available.
Once the image is installed, it should be upgraded to ensure that support is available. For
information about upgrading to 7.4.3, see Upgrading QRadar SIEM.
You must acquire entitlement to a QRadar Software Node for any QRadar instance that is deployed
from a third-party cloud marketplace. Entitlement to the software node should be in place before you
deploy the QRadar instance. To
acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.
For any issues with QRadar
software, engage IBM Support. If you experience any problems
with Microsoft Azure infrastructure, refer to Microsoft Azure Support documentation. If IBM Support determines that your issue is caused by the Microsoft Azure infrastructure, you must contact Microsoft for support to resolve the underlying issue with the Microsoft Azure infrastructure.
You must use static IP addresses.
You cannot have more than two DNS entries. QRadar installation fails if you
have more than two DNS entries in the /etc/resolv.conf file.
The App Host must be the same version as your Console before you can add the App Host to your
deployment. You can upgrade the App Host to a later version of QRadar after you complete the
installation by downloading the fix pack from Fix Central (https://www.ibm.com/support/fixcentral) and
following the normal upgrade procedure. For more information about upgrades, see IBM QRadar Upgrade Guide.
If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data
gateway in Microsoft Azure
(https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_azure.html).
If you deploy a managed host and a Console in the same virtual network, use the private IP
address of the managed host to add it to the Console.
If you deploy a managed host and a Console in different virtual networks, you must allow firewall
rules for the communication between the Console and the managed host. For more information, see
QRadar port usage.
You must complete all of the installation steps before you run QRadar commands such as
qchange_netsetup.
For more information about configuring firewall rules between hosts, see Microsoft documentation.
Procedure
- Go to the Microsoft Azure
Marketplace
(https://azuremarketplace.microsoft.com/en-us/marketplace/apps/ibm.qradar733?tab=Overview).
Note: The Plans + Pricing tab can be used to estimate pricing for certain VM
sizes, but you don't choose your VM size on this screen. Refer to the Core
and RAM columns when you are estimating pricing. Ignore the Disk
Space column, as all QRadar marketplace images include
a disk for the operating system, and a 1 TB disk for storage.
- Click Get It Now.
- Select QRadar SIEM AH 7.3.3 from the
Software plan menu list and click
Continue.
- Click Create to create an instance of the
virtual appliance.
- Configure VM settings.
- Select an existing Resource Group or create a new
one.
- Enter a virtual machine name.
Note: The VM name must be 10 characters or fewer.
- Select a Region.
- Click Change size and ensure that your VM meets the minimum
system requirements.
- Enter a username for the administrator account.
- Choose an SSH public key or
Password.
For more information about creating and using an SSH public-private key pair for Linux® VMs in Microsoft Azure, see Microsoft documentation.
- Set Public inbound ports to Allow selected
ports.
- Set Select inbound ports to SSH (22) and
HTTPS (443).
- Click Review + Create.
- Click Create to deploy the
instance.
- When your VM is deployed in Microsoft Azure, set the private and public IP addresses to static.
- Click Go to resource.
- Click the public IP address.
- Set the Assignment to
Static.
- Click Save.
- Click Overview.
- Click the Associated to link.
- Click IP configurations.
- In the list of IP configurations, click the configuration row where the
Type is set to Primary.
- Set the Private IP address assignment to
Static.
- Click Save.
- Create or select a security group that allows ports 22 and 443 only
from trusted IP addresses to create an allowlist of IP addresses that can access your QRadar
deployment.
In a
QRadar deployment with multiple
appliances, other ports might also be allowed between managed hosts. For more information about what
ports might need to be allowed in your deployment, see
Common ports and servers used by QRadar.
- Click Home.
- Click Virtual Machines .
- Click the name of your virtual machine.
- Click Networking.
- Click the SSH rule that is associated with port 22.
- In the edit pane, select IP Addresses from the
Source list.
- In the Source IP addresses/CIDR ranges field, enter the address
range of the IP addresses that are allowed to access the VM.
- Click Save.
- Click the HTTPS rule that is associated with port 443.
- In the edit pane, select IP Addresses from the
Source list.
- In the Source IP addresses/CIDR ranges field, enter the address
range of the IP addresses that are allowed to access the VM.
- Click Save.
- To display the SSH connection information for the public IP
address of the virtual appliance.
- Click .
- Click Connect.
- Log in to your virtual machine.
- To check that the hostname is a fully qualified domain name (FQDN),
type the following command:
hostname -f
If the command returns a hostname that is not an FQDN, DNS is misconfigured and installation
fails. Restart this procedure with proper DNS configuration. For more information about DNS
configuration, see the Microsoft Azure Support
documentation.
- To check the length of your FQDN, type the following command:
hostname -f | wc -c
If the command returns a value greater than 63, installation fails. Restart this procedure with a
shorter virtual machine name.
- Ensure that there are no more than 2 DNS entries for the instance
by typing the following command:
grep nameserver /etc/resolv.conf | wc -l
If the command returns 3 or higher, edit /etc/resolv.conf to
remove all but two of the entries before you proceed to the next step. You will add the entries back
after installation is complete.
What to do next
If you need to increase file system storage beyond the default 1 TB, follow the steps in Increasing file system storage for a new App Host by recreating the data disk at a larger size. Increase the file system storage before
you complete the installation if possible, as increasing file system storage on a running system is
more risky than increasing it before installation is complete.
If you don't need more than 1 TB of storage, proceed to Installing the App Host.
If you need to change your hostname or FQDN, run the qchange_netsetup
command.