Adding another traffic monitoring interface to the QRadar Network Insights instance

Follow these steps if you want to add another traffic monitoring interface after you install IBM® QRadar® Network Insights.

Procedure

  1. Create a network interface and add it to the QRadar Network Insights instance.
    1. Create a network interface in the same VPC and subnet as your QRadar Network Insights instance.

      Give it a name that you can easily recognize.

    2. Attach the interface to your QRadar Network Insights instance.
    3. In the AWS Console, view the QRadar Network Insights instance and note the new device name.
      For example, the device name might be eth2.
  2. Use SSH to log in to the QRadar Console as root user.
  3. From the QRadar Console, use SSH to connect to the QRadar Network Insights instance as root user.
  4. Specify the configuration parameters for the QRadar Network Insights instance.
    1. Create the per-interface configuration file /etc/sysconfig/network-scripts/ifcfg-<device name> where <device name> is the name of the interface.
    2. Edit the configuration file and add or update the following parameters: 
      BOOTPROTO=none
DEVICE=<device name>
IPV6INIT=no
ONBOOT=yes
MTU=9001
  5. Restart the hostcontext service. 
    systemctl restart hostcontext
  6. Verify that the new interface is added to the device list file. 
    /opt/qradar/conf/capabilities/device.list

What to do next

Log in to QRadar and add a flow source for the new network interface. Ensure that the flow source is enabled.