sFlow is a multi-vendor and user standard for sampling technology that provides continuous monitoring of application-level traffic flows on all interfaces simultaneously.

An sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. sFlow traffic is based on sampled data and, therefore, might not represent all network traffic.

IBM® QRadar® supports flow sources for sFlow versions 2, 4, and 5.

sFlow uses a connection-less protocol (UDP). When data is sent from a switch or router, the sFlow record is purged. UDP doesn't guarantee delivery of the data. As such, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities, might result when using an sFlow flow source.

For more information, see the sFlow website (www.sflow.org).

sFlow flow source configuration

When you configure an external flow source for sFlow, you must do the following tasks:
  • Ensure that the appropriate firewall rules are configured.
  • Ensure that the appropriate ports are configured for your QRadar VFlow Collector.