How to Install IBM QRadar Community Edition and Configure WinCollect and Sysmon

Zain
5 min readNov 21, 2022

--

In this comprehensive guide, we will delve into the process of installing and deploying the IBM QRadar Community Edition 7.3.3. Additionally, we will explore how to forward Windows logs to QRadar using WinCollect and Sysmon

IBM QRadar: A Powerful SIEM Tool

IBM QRadar is a leading SIEM (Security Information and Event Management) tool that collects, processes, performs analysis, and gathers real-time network data. QRadar leverages these logs to manage network security by providing real-time data monitoring, warnings and offenses, and responses to network risks.

Step-by-Step Installation Procedure

  1. Firstly, download the QRadar OVA community edition file from IBM’s official website: (Note: You need to sign up to download the file)
  2. You require a desktop virtualisation software application, i.e. VMware Workstation pro or Virtualbox, to install Qradar. I used VMware Workstation pro
  3. Open the downloaded QRadar OVA file in VMware and make sure it meets the hardware requirements:
    RAM: 8 GB
    Storage: 256 GB
    Network Setting: NAT
Run the virtual machine and start the boot

4. Run the virtual machine and press enter to start the boot

5. The prompt will ask for the username:
Default username: root

Enter username and password

6. New CLI (command line interface) password will be required in next step

7. Now run the “./setup” command, and you will see the license agreement. Press “q” to quickly jump, and then “Y” for confirmation to start the installation. Now sit back and have a cup of coffee. It will take around 1.5–2 hours.

Run ./setup command
Confirm installation

Note: If you face the error “ERROR: hostname must be a fully qualified domain name ERROR: Generating AUTO_INSTALL_INSTRUCTIONS file failed.”
For the issue during installation, run this command:
“hostnamectl set-hostname localhost.localdomain”
It will resolve the issue and follow the process again from point 7

8. At the end of the installation, a password will be required to set up the QRadar console

9. Now run “ifconfig” to check the machine IP, which will be required to open the QRadar console on your browser:

Complete installation

10. Open the browser and type “https://YourIP/console”, i.e. “https://192.168.1.1/console”, to open the QRadar console

11. You will get prompted to the QRadar Login page, where you need to enter the credentials that you set up earlier for the QRadar console:

IBM QRadar Community Edition
IBM QRadar Console

12. In the next step, we will install and configure Wincollect as well as Sysmon to forward the Windows logs to QRadar

WinCollect: Your Windows Event Forwarder

WinCollect is a Syslog event forwarder that is helpful in forwarding events from Windows to QRadar. WinCollect can be set up to collect events from local systems to poll other Windows systems for events remotely.

Installation Procedure for WinCollect

  1. Download the wincollect from Wincollect binary
  2. Open the downloaded installer and enter the QRadar IP where you have to forward the events
Download and install WinCollect
WinCollect Configuration: Enter the QRadar IP

3. After installation completion, search “IBM Wincollect 10console” from Widows Start button, and a new tab will open in the browser:

IBM WinCollect Console

4. Now verify either Wincollect is making a connection with QRadar in “Agent Settings” by clicking “Test Connection”:

IBM Wincollect: Agent Settings

5. By default, “Application, System, Security” event sources are already configured, but you may add new sources as per your requirement:

IBM Wincollect: Local Sources

6. I have added the “sysmon” source for detailed events and mentioned the “sysmon” installation procedure in the next section:

IBM Wincollect: XPATH Query

7. In “Log Viewer”, you can view the real-time monitoring of events forwarding to QRadar and relevant connectivity issues:

IBM Wincollect: Log Viewer

Sysmon

System Monitor (Sysmon) is a Windows system service that provides detailed information about network connections, process creations, and changes to file creation time which is helpful for analysis in SIEM.

Installation Procedure for Sysmon

  1. Download Sysmon from this link and extract it
  2. Save this config file as config.xml
  3. Open the command prompt as administrator to install sysmon and type:

Note: Define the proper path at the end of the command where you saved the config.xml

sysmon64.exe –accepteula –i c:\windows\config.xml

4. To verify that Window is sending logs, you will find the sysmon entry in IBM Wincollect Console in the “Log Viewer” tab

IBM Wincollect: Log Viewer

5. After installation, you will see the sysmon entry in the QRadar Log Sources section. To access it, go to the “Admin” tab and open “Log Sources”:

IBM QRadar:Admin Tab
IBM QRadar: Log Sources

IBM QRadar Console

In the QRadar Console, you can see that QRadar is receiving different kinds of logs in the “Log Activity” tab in real time:

IBM QRadar Console: Log Activity

Conclusion

In conclusion, this comprehensive guide provides a step-by-step process for installing and configuring IBM QRadar Community Edition 7.3.3, WinCollect, and Sysmon. By following these steps, you can effectively set up a powerful SIEM tool that collects, processes, and analyzes real-time network data. This setup will significantly enhance your cyber security capabilities by providing real-time data monitoring, warnings, offenses, and responses to network risks. Remember, the key to successful implementation lies in careful attention to each step and understanding the role of each component in the overall system. Happy configuring!

--

--

Zain
Zain

Written by Zain

Cyber Security Enthusiast

Responses (2)