QRadar Architecture for Newbies
von Karl Jaeger
a Fastpath to QRadar
If you are new to QRadar start at QRadar 101 https://www.ibm.com/community/qradar/. Download the free community edition at QRadar CE and install it to your PC as virtual machine. Use another VM as your life logsource, e.g. Ubuntu desktop. Find out how easy it can be integrated. Then define your virtual network as a new flow source and monitor your life traffic in and out your network interface. Search the community for all your FAQ first. Most of them have been answered already. Dont be a fool and ask for something being discussed many times before.
Architecture is a blackbox. Most of us look at QRadar as a blackbox, cause we will probably never see the code itself. However there is no need to do so. We just want to get an idea of its components and how they work together. If you got some software development experience this helps a lot :-)
QRadar basically consists of three components. The backend CMS called hostcontext and the frontend webserver which is tomcat. The third part are apps.
As all GUI client data is passed from your browser via frontend webserver to backend CMS and back again, many of what you already know about state-of-the-art web based applications applies to QRadar as well. However QRadar is somewhat different and comes with a couple of features that may confuse beginners. Before we get there lets have a look at the CMS 1st (picture 1)
This seems to be relatively straight forward. Service is up and running. If we use the -l option we can look at the inner service structure. There is plenty of server based Java code used by the CMS (picture 2)
The second part of Java code you can see in your browser context being executed while working with the GUI (picture 2b). firefox inspector is my favorite tool for web code inspection.
The third important code part of QRadar are apps. Traditionally they have not existed at all. Starting with release 7.2 the REST API was introduced and the new SDK was released to enable you developing your own apps. There are more than 100 apps available at https://exchange.xforce.ibmcloud.com/hub and most of them are free of charge.
QRadar runs as many apps as you have memory and power available. Please use an app host. QRadar apps run in dedicated containers of their own and thus are independent from CMS. When you install an app it will get an unique id assigned to it. The state of each app is stored in psql and can be monitored using the psql query shown in picture 3.
Typically apps will ask CMS using REST API for data stored in ARIEL proprietary database. Thats where all the data from your >1000 logsources get securely stored. You can use REST API for your own scripts to talk to the headless CMS. This allows for communicating with QRadar from outside without any need to use the browser and is ideally suited for any kind of automatic collaboration (picture 4) with 3rd party apps.
REST API can easily be tried out using the GUI and comes back with ready made curl commands for your own SecDevOps processes.
QRadar „features“ Before I promised to talk about QRadar features. One is that IP address of tomcat host where the GUI resides cannot easily be changed. As it is bound to the backend CMS you better install a fresh copy. Now why is that?
We use this as an example to have a closer look at the inner parts of QRadar. Of course we use CLI for that. Nearly 100% of all config data is stored in a Postgres database. Whenever you do a change in your admin GUI the CMS checks your input against whats already stored in the db. If your changes are validated, it will be rolled out by CMS into its database. This requires your interaction asking the admin user to deploy changes made before. Lets have a look at the database tables in psql (picture 5). The psql command asks for all tables in db to be stored in a file. More than 1000 tables! Thats a huge database. Now we ask the database for the IP address of the QRadar host (picture 6). Of course this should match your ifconfig output. You are in deep shit if not! Here is the 100$ question you now can answer to yourself:
Can the IP address easily be changed in db? As you already assumed it cannot. Not saying it cant be done. Just complex. So please take care and contact support if you are uncertain.
„The end“ who of you still remembers this fantastic Beatles song from the Abbey Road album 1969? The original version can be found at