Flow data from the QRadar Network Insights 1920 appliance does not appear

Follow these steps to determine why the flow data from your QRadar Network Insights 1920 or 1920-C appliance does not appear on the Network Activity tab.

Symptoms

The Network Activity tab doesn’t show flow data from the QRadar Network Insights 1920 or 1920-C appliance.

Causes

This problem can be caused by a race condition, indicating that the system did not start in proper sequence. This problem occurs when the following Napatech configuration file is corrupted after QRadar services are restarted:
/opt/napatech3/config/ntservice.ini

Diagnosing the problem

  1. Log in to the QRadar Network Insights host by using an SSH session.
  2. Verify that flow data is not being received by typing the following command:
    /opt/napatech3/bin/monitoring
    After the command is entered, a message displays similar to the following example:
    ntservice not running
  3. Search for messages that show the bonding type of the adapter by typing the following command:
    grep -i bonding /opt/napatech3/config/ntservice.ini
    Messages similar to the following example indicate that the configuration file is corrupted. The corrupted file prevents the napatech3 service from starting.
    BondingType = *Separate*

Resolving the problem

Follow these steps to re-create the corrupted ntservice.ini configuration file.

You can save the corrupted file for investigation later.

  1. Log in to the QRadar Network Insights appliance by using an SSH session.
  2. Move the ntservice.ini file to save it for later:
    mv /opt/napatech3/config/ntservice.ini /root/
  3. Restart the Napatech service:
    systemctl restart napatech3

    Note: The ntservice.ini configuration file is re-created when the service restarts.

  4. Test the service to confirm that it is now working:
    grep -i bonding /opt/napatech3/config/ntservice.ini:
    You might see messages similar to the following examples:
    BondingType = Master
    BondingType = Slave
  5. Rerun the following command to verify that the service is running:
    /opt/napatech3/bin/monitoring

Results

The napatech3 service is started and flow data appears in QRadar on the Network Activity tab.

If the service is still not running, open a case with QRadar Support.