Verifying that the QRadar Network Insights appliance is sending data to the flow processor

Follow these steps to verify that the QRadar® Network Insights appliance is sending IPFIX records to the flow collector or flow processor in your deployment.

1. Verify that the flow source is added and enabled in QRadar.
   1. Log in to the QRadar console as an admin user.
   2. On the Admin tab, click Flows > Flow Sources.
   3. Verify the flow source settings and ensure that the Enabled column is set to true.
   4. Repeat the procedure for each QRadar Network Insights managed host.
   5. If you changed the flow source configurations, on the Admin tab, click Deploy Changes.
2. Verify that the flows are being received.
   1. Use SSH to log in to the QRadar Console.
   2. Type the following command:

      tailf /var/log/qradar.log | grep qflow

      Messages like this one indicate that the Flow Processor is not receiving any flows from QRadar Network Insights:

      IPFIX Flow Source Stats for <my_dtls_flow_source_name>: received and processed 0 packets

      Messages like this one indicate that flows are being received:

      IPFIX Flow Source Stats for <my_dtls_flow_source_name>: received and processed 12345 packets

3. If flows are not being received, check that the QRadar Network Insights managed host is configured correctly.
   1. On the Admin tab, click System and License Management.
   2. Select the QRadar Network Insights managed host that is not sending flow data.
   3. Click Deployment Actions > Edit Host Connections.
   4. Select the flow processor that you want your QRadar Network Insights appliance to send flow data to, and click Save.
   5. Configure the QRadar Network Insights managed host, and then click Save.
   6. On the Admin tab, click Advanced > Deploy Full Configuration.
   7. Repeat the previous steps to verify that the flows are being received.