Installing the QRadar EDR Agent on Linux endpoints

Install the QRadar® EDR Agent on your Linux® endpoints to monitor the endpoints, collect events, analyze behavior, and enforce policies.

The QRadar EDR Agent is supported on the following Linux distributions and their minor versions with x86-64 architecture.
  • Amazon Linux 2
  • CentOS 6, 7, 8
  • CentOS Stream 8, 9
  • Debian 8, 9, 10, 11, 12
  • OpenSUSE Leap 15
  • Oracle Linux 7, 8, 9
  • Red Hat® Enterprise Linux 6, 7, 8, 9
  • Rocky Linux 8, 9
  • SUSE Linux Enterprise Server 12, 15
  • Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS
Important:
  • The QRadar EDR Agent is not supported on CentOS 6, CentOS 7, Debian 8, Debian 9, Debian 10, Red Hat Enterprise Linux 6, or Red Hat Enterprise Linux 7 when they are using UEFI Secure Boot.
  • CentOS 6 and Red Hat Enterprise Linux 6 require Linux agent 0.70.0 or later.

In an MSSP deployment, you must specify a GID when you install the QRadar EDR Agent, otherwise the endpoint registration fails.

Installing the QRadar EDR Agent

Before you begin

Ensure that the prerequisite packages are installed by typing one of the following commands. Some packages might be available only after you enable extra repositories.

Important: Package installation usually requires internet access.
Amazon Linux 2
sudo yum install clang curl kernel-devel-$(uname -r) kernel-devel llvm make
CentOS 6, CentOS 7, Red Hat Enterprise Linux 6, or Red Hat Enterprise Linux 7
sudo yum install curl dkms gcc kernel-devel-$(uname -r) kernel-devel make
Important: Enable the Extra Packages for Enterprise Linux (EPEL) repository before you can install dkms. For more information about enabling the EPEL repository, see Extra Packages for Enterprise Linux (EPEL).
CentOS 8, CentOS Stream 8, Red Hat Enterprise Linux 8, or Rocky Linux 8
sudo dnf install curl elfutils-libelf-devel gcc kernel-devel-$(uname -r) kernel-devel llvm-toolset make
Debian 8, Debian 9, Debian 10, Ubuntu 16.04 LTS
sudo apt-get install --no-install-recommends curl dkms gcc linux-headers-$(uname -r) make
Important: The Linux agent 0.80.1 fails to start on Debian 10 due to a driver issue. For more information, see technote 7148175.
Oracle Linux 7
sudo yum install curl dkms gcc kernel-*devel-$(uname -r) make
Important: Oracle Linux 7 is not supported when on the UEK kernel.
Oracle Linux 8
sudo dnf install curl elfutils-libelf-devel gcc "kernel-*devel-uname-r = $(uname -r)" llvm-toolset make
SUSE Linux Enterprise Server 12
sudo zypper install curl dkms gcc kernel-devel make
Important: Enable the SUSE Package Hub before you install dkms. For more information, see SUSE Package Hub: How to use.
Ubuntu Linux 18.04 LTS or Ubuntu Linux 20.04 LTS
sudo apt-get install --no-install-recommends clang curl gcc linux-headers-$(uname -r) linux-headers-generic llvm make

Requires Linux agent 0.80.0 or later The following distributions do not need prerequisite packages.

  • Debian 11, 12
  • CentOS Stream 9
  • OpenSUSE Leap 15
  • Oracle Linux 9
  • Red Hat Enterprise Linux 9
  • Rocky Linux 9
  • SUSE Linux Enterprise Server 15
  • Ubuntu 22.04 LTS

Procedure

  1. Click Administration > Update Manager.
  2. Click Linux Hive Package.
  3. Click Installer Download.
  4. Click Download for the .deb or the .rpm installer.
    Tip: Select groups in the Parameters section to get the group IDs that you need when you run the installer.
  5. If you are installing the QRadar EDR Agent on an endpoint that is not the same endpoint where you downloaded the agent, copy the installer file to the other endpoint.
  6. Install the Linux Agent package by using only one of the following commands.
    • For Debian-based endpoints (Debian, Ubuntu), type the following command.
      sudo RQTPARAMS="https://<URL> --gids <group_IDs> --proxy <proxy_URI>" dpkg -i <installer>.deb
      If you are updating to a later version of the agent, or if you need to install the agent without registering the endpoint, type the following command.
      sudo dpkg -i <installer>.deb
    • For RPM-based endpoints (Amazon Linux, CentOS, OpenSUSE, Oracle Linux, Red Hat Enterprise Linux, SUSE Linux Enterprise Server), type the following command.
      sudo RQTPARAMS="https://<URL> --gids <group_IDs> --proxy <proxy_URI>" rpm -i <installer>.rpm
      If you are updating to a later version of the agent, or if you need to install the agent without registering the endpoint, type the following command.
      sudo rpm -Uv <installer>.rpm
    Table 1. QRadar EDR Dashboard parameters
    Parameter Description
    URL Your QRadar EDR Dashboard server URL, including the port.
    Group IDs A comma-separated list of group IDs. At least one group ID is required in MSSP deployments.
    Proxy If you are using a proxy to access QRadar EDR Dashboard, enter the proxy URL and port. It must be a nonauthenticated proxy.
    Installer The file name of the installer that you downloaded.
  7. If you installed the agent on any of the following distributions, see Installing the agent when kernel module signing is set to recommended.
    • CentOS 7
    • Debian 8, 9, 10
    • Oracle Linux 7
    • Red Hat Enterprise Linux 7
    • SUSE Linux Enterprise Server 12
    • Ubuntu 16

Results

The agent is installed on the endpoint, and it automatically registers the endpoint in QRadar EDR Dashboard if it has an internet connection.

If you encounter any issues with the agent installation, see Linux QRadar EDR Agent troubleshooting.