IBM Support

QRadar Network Insights: How to show QNI traffic from the Network Activity tab

Troubleshooting


Problem

My QRadar Network Insights manged hosts are configured per the Installation Guide. What steps are required for QNI traffic to show up on the Network Activity tab in the QRadar UI?

Resolving The Problem

To verify that Network Activity tab displays traffic from your QRadar Network Insights (QNI) appliance.
  1. Review steps from the article QRadar Network Insights: Verify network cabling is correct and receiving network traffic  to confirm the appliance is installed correctly.
  2. Review the article Flow Source requirements for Network Activity.
  3. Log in to the QRadar Console with administrators privileges.
  4. On the navigation menu (image-20191018130218-2 ), click Admin.
  5. Scroll down to Flows > click Flow Sources.
  6. Click Add.
  7. In the Flow source Name field, type a descriptive name for the flow connections. For example, if you are creating a flow source connection between qni1 and fp1 then label this as qni1tofp1.
  8. In the Target Flow Collector field, select a flow collector or accept the value provided.
  9. In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX
  10. Leave Monitoring Interface as Any.
  11. In the Monitoring Port field. select a port or accept the value provided.
  12. Optional: DTLS is not required for QNI to function. This is an extra step to secure flow data between QNI and flow processor. In the Linking Protocol list, select DTLS.
    Note: You can use one DTLS connection only per Flow Processor.
  13. Click Save.
  14. From the Admin tab click > Deploy Changes.
  15. Repeat the procedure for each QNI Managed host.
  16. Using an SSH session log in to the Console and then SSH to the Flow Processor designated to receive your QNI flows.
  17. Type the command: tailf /var/log/qflow.debug
  18. If you see a message similar to Interval 1568993340: 0 QNI content flows processed, then you are not receiving any flows from the QNI. Proceed to step #19.
  19. From the Admin tab, click System and License Management.
  20. Highlight the QNI managed host that is not sending Flow data to the Flow Processor.
  21. Click Deployment Actions > Edit Host Connections.
  22. From the drop-down menu, choose the Flow Processor you want your QNI appliance to send Flow Data to. None of these fields are pre-populated upon opening, you have to always manually populate them.
  23. Choose Standalone or Stacked and follow the wizard instructions as needed.
  24. At the final menu of the installation wizard, click Save.
  25. From the Admin tab click Deploy Full Configuration.
  26. SSH back to Flow processor and you see QNI content flows greater than 0 being processed after you run the command: tailf /var/log/qflow.debug
  27. Back on QRadar GUI console, you can now look at Network Activity and see the QNI flows.
Results
Your QNI now sends flow data to the Flow Processor. If these steps do not work, create a case with IBM QRadar support.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 September 2022

UID

ibm11089322

Page Feedback