Question & Answer
Question
I am seeing flows created for a flow type labeled 'overflow'. What are these and why are they generated?
Cause
An overflow record is created when the number of flows captured exceeds the licensed limit of the QFlow component.
Answer
There is one overflow record created for each protocol seen after the license or governor limit is exceeded. These records can be easily identified as they always have a source IP address of 127.0.0.4 and a destination IP address of 127.0.0.5.
For example, the license limit on the QFlow Collector is 100,000 flows. During a peak period, the QFlow appliance captures 120,000 flows for the interval (minute). The excess 20,000 flows is not parsed, but instead an overflow record is created for each protocol seen in the 20,000 flows to capture packet and byte information. In essence, the overflow record is a summary of the flow by protocol after the license limit is exceeded for the interval. The other information that would normally be normalized like source or destinations, ports, and a payload capture are not collected and stored.
To view the license limit for your QRadar appliance, administrators can review licenses by clicking the Admin tab > System and License Management icon.
For example, the license limit on the QFlow Collector is 100,000 flows. During a peak period, the QFlow appliance captures 120,000 flows for the interval (minute). The excess 20,000 flows is not parsed, but instead an overflow record is created for each protocol seen in the 20,000 flows to capture packet and byte information. In essence, the overflow record is a summary of the flow by protocol after the license limit is exceeded for the interval. The other information that would normally be normalized like source or destinations, ports, and a payload capture are not collected and stored.
To view the license limit for your QRadar appliance, administrators can review licenses by clicking the Admin tab > System and License Management icon.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
25 July 2022
UID
swg21693724