Configuring the size of the raw payload data capture

You can use IBM® QRadar® Network Insights to extract raw payload data.

The Maximum Raw Payload Size for each appliance is inherited from the QRadar Network Insights global settings.

About this task

On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes of raw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0.

When you change the global setting, the new value is inherited by all QRadar Network Insights appliances that are configured to use the global setting. This includes new appliances that you add after the setting is changed.

For QRadar Network Insights 6200, 6600, 6610 appliances, you can override the global settings by configuring custom Maximum Raw Payload Size settings. After an appliance is configured to use a custom setting, it is not affected by changes to the global setting. To revert an appliance back to using the global setting, you must edit the host connection and set the Maximum Raw Payload Size to Global.

Note:

You can increase the raw payload size up to 32 768 bytes, but larger payloads can impact performance. Adjust the byte size in small increments, and monitor the disk capacity to ensure that it does not fill up quickly.

If the size of the QRadar Network Insights maximum raw payload is larger than the QFlow content capture length, some payloads might be truncated. Ensure that the QFlow capture is the same size or greater than the QRadar Network Insights payload size. For more information about flows, see Flow Sources.

Procedure

  1. Log in to QRadar as an administrator.
  2. To configure the global settings, follow these steps:
    1. On the Admin tab, click System Settings.
    2. Click QRadar Network Insights Settings.
    3. In the Maximum Raw Payload Size, select the maximum amount of data that you want to capture.

      To turn payload data capture off, set the Maximum Raw Payload Size to 0.

      Appliances that use a custom Maximum Raw Payload Size setting are not affected by changes to the global setting. You must configure the customized appliances individually.

    4. Click Save.
  3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
    1. On the Admin tab, click System and License Management.
    2. Select the appliance that you want to modify, and click Deployment actions > Edit Host Connection.
    3. Set the flow collector and the flow source connection and click Save.
    4. Specify the Maximum Raw Payload Size for the appliance.

      Appliances that are configured to use a custom Maximum Raw Payload Size are not affected by future changes to the global setting.

    5. Click Next and then click Save.
  4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.
    Warning: When you deploy the full configuration, QRadar services restart. During this time, events and flows are not collected, and offenses are not generated.
  5. Refresh your web browser.