In IBM
QRadar Incident Forensics, the DNS and NetBIOS Name Service protocols do not generate documents by default. You can change
this behavior by changing the document configuration settings for the protocol.
Procedure
-
Using SSH, log in to the QRadar
Console.
- Edit the /opt/qradar/conf/forensics.xml file.
- In the excludeInspectors section, add or remove the
nodoc elements for any inspector that you want to disable document generation
for.
For example, to enable document generation for the DNS protocol, remove the
<nodoc>dns</nodoc> line.
To disable document generation for a
specific protocol, add a line that matches the <nodoc>protocol_name</nodoc>
format.
- Save the changes to the forensics.xml file.
- To push the configuration changes to all managed hosts, type this command:
/opt/qradar/support/all_servers.sh -p /opt/qradar/conf/forensics.xml -r /opt/qradar/conf
- Using a web browser, log in to the QRadar
Console.
- On the Admin tab, click
.
When the deployment is complete, the
configuration changes apply to all future QRadar
Incident Forensics recoveries and
packet capture file uploads to cases.