Verifying NetFlow data collection

To ensure that your NetFlow configuration is working correctly, you must validate your QRadar NetFlow data.

About this task

Configure NetFlow to send data to the nearest QRadar Flow Collector or QRadar Flow Processor appliance.

By default, QRadar listens on the management interface for NetFlow traffic on port 2055 (UDP). If you need more NetFlow ports, you can assign more ports.

Procedure

  1. Click the Network Activity tab.
  2. From the Network Activity toolbar, click Search > New Search.
  3. In the Search Parameters pane, add a flow source search filter.
    1. From the first list, select Flow Source.
    2. From the third list, select your NetFlow router's name or IP address.
    If your NetFlow router is not displayed in the third list, QRadar might not detect traffic from that router.
  4. Click Add Filter.
  5. In the Search Parameters pane, add a protocol search filter.
    1. From the first list, select Protocol.
    2. From the third list, select TCP.
  6. Click Add Filter.
  7. Click Filter.
  8. Locate the Source Bytes and Destination Bytes columns to verify data collection.

    If either column displays many results that have zero bytes, your configuration might be incomplete. You must verify your NetFlow configuration.