Page tree

In This Space

You can use these instructions to specifically add a remote collector in a RedHat system. 

This remote log collector only works with RHEL 7.5, with no additional updates.

Armor does not explicitly support adding a remote collector in a RedHat system; however, you can use the following instructions as basic guidance.

Step 1: Review requirements and pre-installation considerations

Resource requirements

Supported operating systemRedHat 7.5
NTP NIST recommended
Minimum Free SpacePrimary Device: 30GB Secondary Device: 1024G
Disk IOPS300
Data Transfer Rate (MB/s300

Partitioning guide

Mount PathSizeLVM Supported?
/boot1 GBNo
/boot/efi200 MBNo
/var5 GBYes
/var/log15 GBYes
/var/log/audit3 GBYes
/opt10 GBYes
/home1 GBYes
/storetmp15 GBYes
/tmp3 GBYes
swap12GB <> 24GB (75% of RAMNot applicable
/15 GBYes
/store80% of remaining spaceYes
/transiet20% of remaining spaceYes

RAID configuration

RAID0Not supported
RAID5Not supported
RAID50Not supported

Step 2: Configure your environment

  1. Copy the Red Hat Enterprise Linux minimal ISO to a DVD or a bootable USB flash drive.
  2. Insert the portable storage device into your appliance, and then restart your appliance.
  3. From the start menu, perform one of the following options:  
    • Select the USB or DVD drive as the boot option. 
    • To install on a system that supports Extensible Firmware Interface (EFI), you must start the system in legacy mode. 
  4. When prompted, log into the system as the root user.
  5. In the installation wizard, follow the on-screen instructions:
    1. Set the language to English (US).
    2. Click Date & Time, and then set the time for your deployment.
    3. Click Installation Destination, and then select I will configure partitioning.
    4.  In the drop-down list, select LVM.
    5. To add the mount points and capacities for your partitions, click Add, and then click Done
    6. Click Network & Host Name.
    7. Enter the hostname for your appliance.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    8. In the list, select the interface, move the switch to ON, and then click Configure.
    9. In the General tab, select Automatically connect to this network when it is available.
    10. In the IPv4 Settings tab, select Manual in the Method list.
    11. To enter the IP address, Netmask, and Gateway for the appliance in Addresses, click Add.  
    12. Add two DNS servers.
    13. Click Save, click Done, and then click Begin Installation
  6. Set the root password, and then click Finish configuration
    • Armor recommends at least ASCII characters, with upper-case letters, lower-case letters, and special characters. 
    • Save this password in a secure password vault. 
  7. Edit /etc/ssh/sshd_config to ensure the following configurations:
    • PermitRootLogin yes
    • PasswordAuthentication yes
  8. In /root/.ssh/authorized_key, remove all keys. 
  9. Disable SELinux, and then after the installation process is complete, restart the system. 
  10. Via SSH, validate root login with password.
    • ssh -o PreferredAuthentications=password -l root 

Step 3: Install the event collector

  1. Copy the QRadar ISO to the device.
  2. Create the /media/cdrom directory. To do so, enter the following command: mkdir /media/cdro
  3. Mount the QRadar ISO. To do so, enter the following command: mount -o loop /media/cdro
  4. Run the QRadar setup. To do so, enter the following: /media/cdrom/setup 
    • A new kernel may be installed as part of the installation, which requires a system restart. After the system restart, repeat the commands in Step 3 and Step 4 to continue the installation.
  5. In Software Installed System, select Software Install, and then select Next.  
  6. In Software Appliance Assignment, select Event Collector, and then select Next.
  7. In Type of Setup, select Normal Setup (default), and then select Next
  8. In Select Continent/Area, select UTC, and then select Next
  9. In Internet Protocol Setup, select ipv4 Internet Protocol version 4, and then select Next
  10. If required, select the bonded interface setup. (This action is not supported by Armor.)
  11. Select the management interface
  12. In the wizard, in Hostname, enter a fully qualified domain name.
  13. In IP address, enter a static IP address or use the assigned IP address.
  14. If you do not have an email server, then in Email server name, enter localhost.
  15. Do not modify the root password. 
  16. Click Finish.
  17. In the installation wizard, follow the instructions to complete the installation. The installation process may take a few minutes.
  18. Reboot. 

  • No labels

This page has no comments.