Flow source aliases

A flow source alias uses a virtual name to identify external flows that are sent to the same port on a flow collector. For example, the IBM QRadar Flow Collector can have a single NetFlow flow source that is listening on port 2055, and can have multiple NetFlow sources sending to the same QRadar Flow Collector. By using flow source aliases, you can identify the different NetFlow sources based by their IP addresses.

When QRadar Flow Collector receives traffic from a device that has an IP address but does not have a current alias, the QRadar Flow Collector attempts a reverse DNS lookup. The lookup is used to determine the host name of the device.

You can configure the QRadar Flow Collector to automatically create flow source aliases. When the QRadar Flow Collector receives traffic from a device that has an IP address but does not have a current alias, it does a reverse DNS lookup to determine the host name of the device.

If the lookup is successful, the QRadar Flow Collector adds this information to the database and reports the information to all QRadar Flow Collector components in your deployment. If the lookup fails, QRadar creates a default alias for the flow source based on the flow source name and the source IP address. For example, the default alias might appear as default_NetFlow_172.16.10.139.