Configuring a flow collector
By changing the Flow Collector configuration settings, you can manage the way that IBM QRadar collects and processes flows that are received from the device.
| Parameter | Description |
|---|---|
| Maximum Content Capture | Specify the maximum amount of data (bytes per packet) that you want the Flow Collector to capture and retain in the flow payload. |
| Maximum Data Capture/Packet | Specify the maximum amount of data (bytes per packet) that you want the Flow Collector to analyze. |
| Flow buffer size | Specify the maximum number of flows that can be buffered in memory. |
| Maximum Number of Flows | Specify the maximum number of flows that you want to send from the Flow Collector to a Flow Processor within a 1 minute interval. |
| Alias Autodetection | Set to Yes to allow QRadar to auto-detect flow
sources. With auto-detection turned on, QRadar can automatically create flow source aliases for external flow sources, such as routers. |
| Remove duplicate flows | Set this to Yes if you want the Flow
Collector to remove duplicate flows.
If you have asymmetric traffic in your network, set this parameter to No. |
| Verify NetFlow Sequence Numbers | Set this to Yes if you want the Flow
Collector to check the incoming NetFlow sequence numbers to ensure that all
packets are present and in order. QRadar displays a notification if a packet is missing or received in incorrect sequence. |
| External Flow De-duplication method | Choose the method that you want to use to remove duplicate external flows.
|
| Flow Carry-over Window | Specify the number of seconds that the QFlow process holds
one-sided flows. The default setting is 6 seconds. This setting allows time for QRadar to receive the flow response. Flows that fall within the carry-over window are not sent until the next reporting interval. |
| External flow record comparison mask | Specify the method to use to compare external flow records. This parameter is valid only if you chose Record as the method to use for external flow De-duplication. You can choose which flow record fields are to be used when comparing external
flow records:
You can combine the flow record fields to include the following combinations:
|
| Create Super Flows | Set this to Yes if you want QRadar to group flows that have similar properties into one flow record |
| Type A Superflows (Network Scan) | Specify the threshold to be reached before QRadar creates a Type A (one to many) superflow. |
| Type B Superflows (DDos) | Specify the threshold to be reached before QRadar creates a Type B (many to one) superflow. |
| Type C Superflows (Port Scan) | Specify the threshold to be reached before QRadar creates a Type C (one to one) superflow. |
| Recombine Asymmetric flows | Set this to Yes if you want QRadar to recombine asymmetric flows. |
| Ignore Asymmetric Superflows | Set this to Yes if you want QRadar to create superflows when asymmetric flows are enabled. |
| Use Common Destination Port | Set this to Yes if you want QRadar to determine whether to reverse the flow direction. |
Procedure
-
On
the navigation menu (
), click
Admin.
- In the System Configuration section, click System and License Management.
- In the Display list, select Systems, and select the Flow Collector that you want to configure.
- On the Deployment Actions menu, click Edit Host.
- Click the gear icon next to Component Management.
- Edit the configuration options and click Save.
- Repeat the configuration steps for each Flow Collector in your deployment.
- Close the System and License Management window.
- Deploy your changes. This will restart the QFlow process on every managed host that you modified.