INSTALLING QRADAR CE
QRadar Community Edition (v7.3.3) is available as a handy OVA file, which is completely unusable for Proxmox !
When you have an OVA file, you can unzip it to reveal the .vmdk file, this is the file we will use as the Proxmox VM�s hard disk.
How to install an OVA vm in Proxmox :
Step 1: Create a new VM (with dummy virtual hard disk).
Step 2: Detach the dummy disk and delete it.
Step 3: Import the vmdk file to Proxmox.
Step 4: Convert vmdk to a usable disk.
Step 5: Add the disk to the VM.
Step 1: Create a new VM (with dummy virtual hard disk).
In Proxmox create a new VM. Take note of the VM ID.
There is no need to add any media for this VM, as we will add a disk later with OS installed already.
You will have to add a disk, this disk will be deleted later so the disk config is not important.
For my QRadar VM I will be creating a VM with 2 CPU cores and 6GB RAM.
Step 2: Detach the dummy disk and delete it.
Before adding the QRadar vmdk file, we need to delete the disk that was created when the VM was added.
Open the VM configuration and select Hardware.
Select the Hard Disk and click �Detach�. The disk must be detached before deleted.
The hard disk status changes to �Unused�. Select the disk again and now the option to �Remove� is available. Now that the disk is removed we can add the vmdk file for QRadar.
Step 3: Import the vmdk file to Proxmox .
We need to copy the vmdk file to Proxmox, I did this using WinSCP.
You want to copy the file to the path: /var/lib/vz /images/
Step 4: Convert vmdk to a usable disk.
Now that the file is in Proxmox, open the shell on the proxmox server.
The command to import / convert the vmdk file is:
qm importdisk 101 QCE-jan22-disk1.vmdk local- lvm -format qcow2
Note 101 is my VM ID, and the file is the vmdk copied onto Proxmox.
Proxmox will copy the vmdk file into a usable disk. The disk should now be listed in Proxmox as available:
Step 5: Add the disk to the VM.
The final step is to assign the disk to the VM.
Back in our VM 101, go to Hardware and the disk will show up as �Unused�.
Select the unused disk and click �Edit�.
Select the Bus/Device:
For the QRadar image I am using, I had to select IDE.
Before startint the VM, go to Options and set the boot order with the HDD at the top.
Now you can start the VM, make it boot from the hard drive and you can begin to install QRadar CE!
Note that setting the IP using nmtui before install kept breaking my install, instead I let my console get a DHCP IP and then reserved whatever it took on the router.
IMPORTANT: ssh to the console as root and past the following command if there is no logs showing:
if [ -f /opt/qradar/ ecs /license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs /license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ ibm / si /services/ecs -ep/current/ eventgnosis /license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm / si /services/ecs -ep/current/ eventgnosis /license.txt ; fi ; if [ -f /opt/ ibm / si /services/ecs-ec /current/ eventgnosis /license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm / si /services/ecs-ec /current/ eventgnosis /license.txt ; fi ; if [ -f / usr / eventgnosis /ecs /license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr / eventgnosis /ecs /license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi
REFERENCE: IBM support page
Auto Update Issues: if your auto updates are failing, there is a couple of troubleshooting checks:
1. Check the auto update URL as QRadar changed it November 2020
2. If auto update still fails, update the auto update: