Steps to Installing the Universal REST API Protocol in IBM QRadar
The Universal REST API is an active and outbound protocol for your QRadar app. It can be customized to collect a variety of events from other REST APIs, such as with data sources where there is no specified protocol.
Installation
Before we can use the Universal REST API DSM and Protocol in QRadar, we have to install the Protocol so that it appears in the list of supported protocols in your app.
The installation is usually straightforward, but we have seen some issues where installing the protocol runs into a number of minor snags on some machines. To ensure that your installation goes well, follow the steps below as closely as possible and make note of any deviations in case you need to troubleshoot later.
Prerequisites
- You should have a fresh install of QRadar 7.3.3 FixPack6 or QRadar 7.4.2+ (or any other QRadar version that supports the Universal REST API Protocol).
- You should have downloaded the Universal REST API Protocol RPM file from IBM's site. Search for “Universal REST API Protocol RPM” on IBM Fix Central. The file will be named like 7.4.0-QRADAR-PROTOCOL-UniversalCloudRESTAPI-7.4-20210226025732.noarch.rpm
Installation steps
- SCP the rpm file to the QRadar server with
scp <rpm file> root@<qradar-server>:~
- SSH into the QRadar server with
ssh root@<qradar-server>
- Check whether there is an environment variable called
NVA_CONF
on the server by typingenv |grep NVA_CONF
- If the environment variable is not set, then the command will return an empty output.
Depending on whether the variable is set or not, follow one of the following two options to install the RPM. Go into superuser mode with sudo su
for the next steps.
Option 1: NVA_CONF is NOT set
Use this option if the NVA_CONF
environment variable is NOT set on your QRadar server. Find the location of the nva.conf
file. By default, it should be located at /opt/qradar/conf/nva.conf
. You should set the value of NVA_CONF in the next step to point to this file.
Install the RPM by running the command:
NVA_CONF=/opt/qradar/conf/nva.conf rpm -i <rpm file>
Option 2: NVA_CONF is set
Use this option if the NVA_CONF
environment variable is already present on your QRadar server. In this case, do NOT set the NVA_CONF variable. This should already be set and might be pointing to another file/path than the default.
Install the RPM by running the command rpm -i <rpm file>
The installation should proceed without any errors. Once the installation is done, you have to perform a “Deploy Full Configuration” from the QRadar admin tab.
Setting the log source
After the configuration is deployed, the protocol will appear in the list when you try to create a log source in QRadar.
And voila! All set.
Why do we have this post?
So, as you can see, the installation is fairly straightforward. Why, then, do we have this document?
Well, if the NVA_CONF variable is not set, the RPM file tries to install files to paths that do not exist, and we get installation errors that do not make much sense (for example directory/appconfig not found). If you get any errors when installing the RPM, then it is most likely due to a missing or misconfigured NVA_CONF.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organization, please send a note to connect@metronlabs.com.