Creating and editing VPC Flow log sources

See an overview of VPC Flow Logs that you have across all Amazon AWS accounts, see which QRadar® VPC Flow log sources are currently set up, and view or edit these log sources.

Before you begin

To modify log source information, ask your administrator to grant you the "Manage Log Sources" permission.

Procedure

  1. On the Utilities for configuring AWS services for QRadar tab, click Log Sources > VPC Flow Logs.
  2. Optional: Filter the log sources by the degree to which regions are covered, or by the warnings or errors for each log source. Access the Filters sidebar by clicking the filter icon in the upper left of the view page.
  3. To create a log source, click Create in the QRadar Log Source column, and select the SQS queue option to use: existing or new.
  4. To use an existing SQS queue, use the following steps:
    1. Create the log source and then click Submit.
  5. To create an SQS queue, use the following steps:
    1. Follow the set of linked instructions on IBM Knowledge Center.
    2. Click Refresh, choose the newly created SQS queue URL, and then click Next.
    3. Create the log source and then click Submit.
  6. Optional: To edit a log source, click the link of the log source name in the QRadar Log Source column, click Edit, and complete the configuration window that opens. Click Submit when you're finished.
  7. Optional: To delete a log source, click the link of the log source name in the QRadar Log Source column, and then click Delete in the Log Source Summary.
    You cannot undo the action.
  8. If expected flows don't appear on the VPC Flow Logs tab, complete the following steps:
    1. On the QRadar Console, click the Admin tab, and then click System Configuration > System Settings.
    2. Click the QFlow Settings menu, and in the IPFix additional field encoding field, choose either the TLV or TLV and Payload format.
    3. Click Save.
    4. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.
      Warning: When you deploy the full configuration, QRadar services are restarted. During this time, events and flows are not collected, and offenses are not generated.
    5. Refresh your browser.