Flow data from the QRadar Network Insights 1920 appliance does not appear
Follow these steps to determine why the flow data from your QRadar Network Insights 1920 or 1920-C appliance does not appear on the Network Activity tab.
Symptoms
The Network Activity tab doesn’t show flow data from the QRadar Network Insights 1920 or 1920-C appliance.Causes
This problem can be caused by a race condition, indicating that the system did not start in proper sequence. This problem occurs when the following Napatech configuration file is corrupted after QRadar services are restarted:/opt/napatech3/config/ntservice.ini
Diagnosing the problem
- Log in to the QRadar Network Insights host by using an SSH session.
- Verify that flow data is not being received by typing the following
command:
After the command is entered, a message displays similar to the following example:/opt/napatech3/bin/monitoring
ntservice not running
- Search for messages that show the bonding type of the adapter by typing the following
command:
Messages similar to the following example indicate that the configuration file is corrupted. The corrupted file prevents thegrep -i bonding /opt/napatech3/config/ntservice.ini
napatech3
service from starting.BondingType = *Separate*
Resolving the problem
Follow these steps to re-create the corrupted ntservice.ini configuration file.
You can save the corrupted file for investigation later.
- Log in to the QRadar Network Insights appliance by using an SSH session.
- Move the ntservice.ini file to save it for
later:
mv /opt/napatech3/config/ntservice.ini /root/
- Restart the Napatech service:
systemctl restart napatech3
Note: The ntservice.ini configuration file is re-created when the service restarts.
- Test the service to confirm that it is now
working:
You might see messages similar to the following examples:grep -i bonding /opt/napatech3/config/ntservice.ini:
BondingType = Master BondingType = Slave
- Rerun the following command to verify that the service is
running:
/opt/napatech3/bin/monitoring
Results
The napatech3
service is started and flow data appears in QRadar on the Network
Activity tab.
If the service is still not running, open a case with QRadar Support.