Configuring the Flow Collector format

Flow collectors can export data to flow processors in either TLV (type-length-value) or Payload format.

The TLV format stores the content metadata properties in the flow record, and can be searched without extra configuration in QRadar®.

The payload format stores the content metadata properties in the payload field of the flow record. To run searches on the data, you must use custom properties to extract the data from the payload.

Before you begin

Before you configure the format that the Flow Collector uses, ensure that you complete the following tasks:

  • Install a QRadar Console with a QRadar Network Insights appliance attached as a managed host.
  • Perform a full deployment after you attach the IBM® QRadar Network Insights appliance as a managed host.
Important: Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier content extensions that were based on custom properties. If you are using content extension v1.3.0 or later, you must set the flow collector format to TLV; otherwise the rules in the content pack don't work.

Procedure

  1. Log in to QRadar: https://QRadar_IP_Address

    The default user name is admin. The password is the password of the root user account.

  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. In the navigation pane, click System Settings.
  4. Click the QFlow Settings menu, and in the IPFIX Additional Field Encoding field, choose the format.
    Table 1. QFlow format options
    Flow Collector format Description
    TLV Default setting for the flow collector format.

    Must be used when there is a QRadar Network Insights appliance in the environment.

    QRadar Network Insights V7.3.0 or later supports only TLV for content flows.

    Can be used when there is no QRadar Network Insights appliance in the environment.

    Payload Can be used when there is no QRadar Network Insights appliance in the environment.
  5. Click Save.
  6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.
    Warning: When you deploy the full configuration, QRadar services are restarted. During this time, events and flows are not collected, and offenses are not generated.
  7. Refresh your web browser.