How to Install IBM QRadar Community Edition and Configure WinCollect and Sysmon
In this comprehensive guide, we will delve into the process of installing and deploying the IBM QRadar Community Edition 7.3.3. Additionally, we will explore how to forward Windows logs to QRadar using WinCollect and Sysmon
IBM QRadar: A Powerful SIEM Tool
IBM QRadar is a leading SIEM (Security Information and Event Management) tool that collects, processes, performs analysis, and gathers real-time network data. QRadar leverages these logs to manage network security by providing real-time data monitoring, warnings and offenses, and responses to network risks.
Step-by-Step Installation Procedure
- Firstly, download the QRadar OVA community edition file from IBM’s official website: (Note: You need to sign up to download the file)
- You require a desktop virtualisation software application, i.e. VMware Workstation pro or Virtualbox, to install Qradar. I used VMware Workstation pro
- Open the downloaded QRadar OVA file in VMware and make sure it meets the hardware requirements:
RAM: 8 GB
Storage: 256 GB
Network Setting: NAT
4. Run the virtual machine and press enter to start the boot
5. The prompt will ask for the username:
Default username: root
6. New CLI (command line interface) password will be required in next step
7. Now run the “./setup” command, and you will see the license agreement. Press “q” to quickly jump, and then “Y” for confirmation to start the installation. Now sit back and have a cup of coffee. It will take around 1.5–2 hours.
Note: If you face the error “ERROR: hostname must be a fully qualified domain name ERROR: Generating AUTO_INSTALL_INSTRUCTIONS file failed.”
For the issue during installation, run this command:
“hostnamectl set-hostname localhost.localdomain”
It will resolve the issue and follow the process again from point 7
8. At the end of the installation, a password will be required to set up the QRadar console
9. Now run “ifconfig” to check the machine IP, which will be required to open the QRadar console on your browser:
10. Open the browser and type “https://YourIP/console”, i.e. “https://192.168.1.1/console”, to open the QRadar console
11. You will get prompted to the QRadar Login page, where you need to enter the credentials that you set up earlier for the QRadar console:
12. In the next step, we will install and configure Wincollect as well as Sysmon to forward the Windows logs to QRadar
WinCollect: Your Windows Event Forwarder
WinCollect is a Syslog event forwarder that is helpful in forwarding events from Windows to QRadar. WinCollect can be set up to collect events from local systems to poll other Windows systems for events remotely.
Installation Procedure for WinCollect
- Download the wincollect from Wincollect binary
- Open the downloaded installer and enter the QRadar IP where you have to forward the events
3. After installation completion, search “IBM Wincollect 10console” from Widows Start button, and a new tab will open in the browser:
4. Now verify either Wincollect is making a connection with QRadar in “Agent Settings” by clicking “Test Connection”:
5. By default, “Application, System, Security” event sources are already configured, but you may add new sources as per your requirement:
6. I have added the “sysmon” source for detailed events and mentioned the “sysmon” installation procedure in the next section:
7. In “Log Viewer”, you can view the real-time monitoring of events forwarding to QRadar and relevant connectivity issues:
Sysmon
System Monitor (Sysmon) is a Windows system service that provides detailed information about network connections, process creations, and changes to file creation time which is helpful for analysis in SIEM.
Installation Procedure for Sysmon
- Download Sysmon from this link and extract it
- Save this config file as config.xml
- Open the command prompt as administrator to install sysmon and type:
Note: Define the proper path at the end of the command where you saved the config.xml
sysmon64.exe –accepteula –i c:\windows\config.xml
4. To verify that Window is sending logs, you will find the sysmon entry in IBM Wincollect Console in the “Log Viewer” tab
5. After installation, you will see the sysmon entry in the QRadar Log Sources section. To access it, go to the “Admin” tab and open “Log Sources”:
IBM QRadar Console
In the QRadar Console, you can see that QRadar is receiving different kinds of logs in the “Log Activity” tab in real time:
Conclusion
In conclusion, this comprehensive guide provides a step-by-step process for installing and configuring IBM QRadar Community Edition 7.3.3, WinCollect, and Sysmon. By following these steps, you can effectively set up a powerful SIEM tool that collects, processes, and analyzes real-time network data. This setup will significantly enhance your cyber security capabilities by providing real-time data monitoring, warnings, offenses, and responses to network risks. Remember, the key to successful implementation lies in careful attention to each step and understanding the role of each component in the overall system. Happy configuring!