Question & Answer
Question
How do you use the yum command in QRadar to manually install RPM files?
Answer
In all versions of QRadar®, the yum command is the supported method to install RPM files, such as Device Service Modules (DSM), protocols, and acanner (VIS). Yum has its own database that tracks and manages RPMs. QRadar uses the yum command on the Console to install or reinstall RPMs. Searches for RPMs can be run on any appliance, but searches for newly installed RPMs can be run only on the Console. RPMs cannot be installed on the managed hosts, instead installations completed on the Console are replicated to all managed hosts in the deployment. After you install a protocol, DSM, or scanner RPM on the Console, a Deploy Changes or Deploy Full Configuration needs to be completed by an administrator.
Note: In QRadar, only DSM installs require a Deploy Changes from the Admin tab. Installation changes for RPMs that are added during QRadar automatic updates can restart services, but Tomcat restarts are no longer required. If you opt to restart services with the Auto Restart Service check box during a weekly auto update, Tomcat is not restarted when the option is selected.
Note: In QRadar, only DSM installs require a Deploy Changes from the Admin tab. Installation changes for RPMs that are added during QRadar automatic updates can restart services, but Tomcat restarts are no longer required. If you opt to restart services with the Auto Restart Service check box during a weekly auto update, Tomcat is not restarted when the option is selected.
Actions required by an administrator
| File installed | Example File Name | Deploy Action |
|---|---|---|
| DSM RPM | DSM-MicrosoftExchange-7.5-20230207062209.noarch.rpm | Deploy Changes |
| Protocol RPM | PROTOCOL-TLSSyslog-7.5-20211115151657.noarch.rpm | Deploy Full Configuration |
| Scanner RPM | VIS-IBMAppScan-7.5-20220519191023.noarch.rpm | Deploy Full Configuration |
Downloading software
You must log in with your IBMid and be entitled to download QRadar software. You need to select the correct software version. QRadar RPM files check dependencies to ensure administrators do not attempt to install a 7.4.x version RPM on a QRadar 7.5.x Console appliance.
- Log in toIBM® support website (https://www.ibm.com/support/fixcentral) to download the DSM, Protocol, or Scanner RPM files required.
- You can select one of the three download options from Fix Central.
- Download Director, which packs all your RPM files you download in a compressed package. Transfer them to the Console by using an SCP client. You can unpack the compressed package into individual RPMs either on the host you downloaded the compressed files to or on the Console.
- Download by using FTPS/SFTP, which eliminates having to transfer the file from the host to the QRadar Console.
- After you select this option, you are provided a user ID, Password, and FTPS/SFTP server.
- On the QRadar Console, type:
sftp -o StrictHostKeyChecking=no userID@<IBM_FSTP/SFTP_server>.ibm.com - Enter the Password you were provided from Fix Central download page.
- Use the get command and the RPM or bundle name to transfer the file from the Fix Central server to your appliance.
sftp> get PROTOCOL-HTTPReceiver-7.5-20230208183459.noarch.rpm - After your download is completed, type the following command to close SFTP session:
bye
- After you select this option, you are provided a user ID, Password, and FTPS/SFTP server.
- Use your browser to download each RPM. Then, use an SCP client to transfer the files to your Console.
Note: RPM files are only installed on the QRadar Console appliance. The Console replicates the content of the installed RPM to all managed hosts in the deployment after the proper Deploy action.
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the directory that includes the downloaded file.
- Type the following command:
yum -y install <rpm_filename> - Log in to QRadar as an admin user.
Important: Deploy Full Configuration results in services being restarted. While services are restarting, searches and scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. - On the Admin tab, select one of the Deploy Actions:
RPM type being installed Quantity of files Deploy Action DSM RPMs One or more Deploy Changes Protocol RPMs One or more Deploy Full Configuration Scanner RPMs One or more Deploy Full Configuration DSM, Protocol, and Scanner RPMs One or more Deploy Full Configuration
Results
After the deploy completes, the procedure is complete. Uninstalling or removing an RPM is not supported in QRadar. If you experience issues installing an RPM on your QRadar Console, contact support for assistance.
YUM commands:
The -y flag is used to automatically accept any prompts and answer Y to continue the installation of the RPM file. If you leave out the -y flag, any rpm installation requires you to approve the updates.
The -y flag is used to automatically accept any prompts and answer Y to continue the installation of the RPM file. If you leave out the -y flag, any rpm installation requires you to approve the updates.
- To install or update packages, type:
yum install -y package.rpm yum install -y /path_to_package/package.rpm
- To reinstall a package, type:
yum reinstall package.rpm - Searching for packages, type:
For example,yum search <search term>yum search protocolPROTOCOL-AhnLabPolicyCenterJdbc.noarch : PROTOCOL @rpm.description@ Install PROTOCOL-AkamaiKonaRESTAPI.noarch : PROTOCOL @rpm.description@ Install PROTOCOL-AmazonAWSRESTAPI.noarch : PROTOCOL @rpm.description@ Install PROTOCOL-AmazonWebServices.noarch : PROTOCOL @rpm.description@ Install - Searching Package information type:
For example,yum info <search term> yum info PROTOCOL-WindowsEventRPC Loaded plugins: product-id, search-disabled-repos Installed Packages Name : PROTOCOL-WindowsEventRPC Arch : noarch Version : 7.4 Release : 20210113131122 Size : 19 M Repo : installed Summary : PROTOCOL Windows Event Log over MSRPC Install License : Proprietary. Description : This program installs a Windows Event Log over MSRPC PROTOCOL : plugin.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
16 March 2023
UID
ibm11127295