See an overview of VPC Flow Logs that you have across all Amazon AWS accounts, see which
QRadar® VPC Flow log sources
are currently set up, and view or edit these log sources.
Before you begin
To modify log source information, ask your administrator to grant you the "Manage Log
Sources" permission.
Procedure
- On the Utilities for configuring AWS services for
QRadar tab, click .
- Optional:
Filter the log sources by the degree to which regions are covered, or by
the warnings or errors for each log source. Access the Filters sidebar by
clicking the filter icon in the upper left of the view page.
-
To create a log source, click Create in the QRadar Log
Source column, and select the SQS queue option to use: existing or new.
- To use an existing SQS queue, use the following steps:
- Create the log source and then click Submit.
- To create an SQS queue, use the following steps:
- Follow the set of linked instructions on IBM Knowledge Center.
- Click Refresh, choose the newly created SQS queue URL, and then
click Next.
- Create the log source and then click Submit.
- Optional:
To edit a log source, click the link of the log source name in the
QRadar Log Source column, click Edit, and complete the
configuration window that opens. Click Submit when you're finished.
- Optional:
To delete a log source, click the link of the log source name in the
QRadar Log Source column, and then click Delete in the
Log Source Summary.
You cannot undo the action.
- If expected flows don't appear on the VPC Flow Logs tab, complete
the following steps:
- On the QRadar
Console, click the Admin tab, and then click .
- Click the QFlow Settings menu, and in the IPFix
additional field encoding field, choose either the TLV or
TLV and Payload format.
- Click Save.
- From the menu bar on the Admin tab, click Deploy
Full Configuration and confirm your changes.
Warning: When you deploy the full configuration, QRadar services are restarted.
During this time, events and flows are not collected, and offenses are not generated.
- Refresh your browser.