I have had good success running the QRadar Community Edition on a standard Azure CentOS VM, so I thought I would post the brief mods required that allow the installation to run here, in case anyone else finds them useful – use them at your own risk.
I am not going to explain how to create an Azure VM, hopefully you will already be up to speed on that, the VM specifics I used are –
PublisherName: OpenLogic
Offer: CentOS
Skus: 7.3
Version: Latest
Size: Standard_F2s (this is 2 cpus, 4GB RAM, premium storage)
VMOSDiskSize: 80GB
Once created the VM needs a few changes to make the QRadar install run smoothly, as follows.
Extend the /dev/sda2 partition to use the full available space
sudo fdisk /dev/sda
The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): d
Partition number (1,2, default 2): 2
Partition 2 is deleted
Command (m for help): n
Partition type:
p primary (1 primary, 0 extended, 3 free)
e extended
Select (default p): p
Partition number (2-4, default 2): 2
First sector (1026048-167772159, default 1026048):
Using default value 1026048
Last sector, +sectors or +size{K,M,G} (1026048-167772159, default 167772159):
Using default value 167772159
Partition 2 of type Linux and of size 79.5 GiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
Reboot to pick up the new partition table.
sudo reboot
Grow the root filesystem:
sudo xfs_growfs /
Create 8GB of swap space:
sudo dd if=/dev/zero of=/swapfile bs=1024 count=8388608
sudo chmod 0600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
Add the following line to /etc/fstab to mount the swap on reboot:
/swapfile swap swap defaults 0 0
Update everything and install screen:
sudo yum -y update
sudo yum install screen
Disable SELINUX, and reboot to clear it:
sudo sed -i -e ‘s/^SELINUX=.*$/SELINUX=disabled/g’ /etc/selinux/config
sudo reboot
Copy the Community Edition to a temporary directory, mount it and run the setup as per the IBM instructions (You get the standard appliance install screens, it tells you that you have insufficient memory, but continues to install an appliance type “300”.)
Eventually you get a working Qradar CE system! Don’t forget this doesn’t have all the DSMs so you may need to get rpms from fix central for additional log source support.
Regards.