Configuring the Protocol Analysis Module

Use this procedure to learn how to edit the Protocol Analysis Module (PAM) settings. Where applicable, the configuration snippets that you can use when you edit PAM are documented with the topic to which they apply.

About this task

The Protocol Analysis Module (PAM) is used in IBM QRadar Network Insights to manage some network traffic inspection functions.

By changing some PAM configuration settings, you can change some of the ways that QRadar Network Insights inspects traffic. For example, you can modify PAM settings to change the way that IBM X-Force Signatures are reported.

Configuration changes are made on the QRadar Console and then deployed to all of the QRadar Network Insights managed hosts in your deployment.

Procedure

  1. Using SSH, connect to the QRadar Console.
  2. Edit the /opt/qradar/conf/forensics.xml file.
  3. Find the TrafficScape XML block, and add an element for the PAM configuration.
    The following example shows the format to use to apply a single tuning parameter.
    <Pam>
        <TuningParameters>
            <pam.report.2101118 value="0" />
        </TuningParameters>
    </Pam>
  4. Save the file.
  5. Distribute the file to all QRadar Network Insights managed hosts in your deployment.
    /opt/qradar/support/all_servers.sh -a 6[2-9]% -p /opt/qradar/conf/forensics.xml -r /opt/qradar/conf
  6. To reload the updated configuration, restart all of the decapper processes.
    /opt/qradar/support/all_servers.sh -a 6[2-9]% "systemctl restart decapper && sleep 5 && systemctl status decapper"

    Using the command line to manually push the configuration change ensures that the change persists after other configuration changes are made from the product interface.

Results

The configuration changes are deployed to all QRadar Network Insights managed hosts, and immediately applied to incoming flows.