IBM Support

QRadar: Flows missing from Network Activity

Troubleshooting


Problem

All routers are configured to send network traffic to QRadar, but seeing a fraction of expected flows in Network Activity.

Symptom

A good sign there are missing flows, is that the system is nowhere near the licensed Flow capacity and all flows are configured.
  1. From the web UI Console, go to Admin > System and License Management.
  2. View the Flow Rate Limit, and make a note of it.
    NOTE: The first number is the license limit per minute and the second number is the hardware limit.
  3. Go to Network Activity.
  4. Process a one minute search.
  5. Expand Current Statistics.
  6. The Total Results is your current rate.
  7. If the value from step 6 is less than 30% of the value from step 2, then your flows might not be configured correctly.

Cause

Flows might not be near the license for other reasons, aside from misconfiguration:
  • A router might not be set up to forward the flows correctly
  • A firewall might be blocking or dropping the network packets
  • A duplicate port might be in use, preventing the proper sending or receiving of the packets
  • One or more servers were decommissioned and are no longer send flows
There are many other reasons not listed that could also explain missing flows.

Resolving The Problem

Create a list of network devices that are sending into QRadar but need configuration:

NOTE: Some flows are not captured from this method.

NOTE: Replace file_name and file_name_2 with titles that make sense and are referenceable to your team.

  1. tcpdump icmp | grep "udp port sflow unreachable" | awk '{print $5}' > file_name
  2. Wait 2 minutes then, Ctrl+C on your keyboard to end the command.

    NOTE: First, try the tcpdump command for 2 minutes. Then, 5 minutes, if you don't get anything. Then, up to 20 minutes for a larger list. The approach is because some systems are getting millions of flows while others are getting thousands of flows and you don't want to fill up disk space.

  3. sort file_name > file_name_2
  4. uniq file_name_2
  5. The resulting output is a list of all Flows that do not have correct, or existing, Flow configuration.
  6. After the flows are configured, from the link provided in step 5, you will see increased activity in Network Activity for new events.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsuAAA","label":"Flow Source"}],"ARM Case Number":"TS001173344","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.3;7.5.0"}]

Document Information

Modified date:
25 August 2022

UID

ibm16586970

Page Feedback