Configuring a flow collector

By changing the Flow Collector configuration settings, you can manage the way that IBM QRadar collects and processes flows that are received from the device.

The following table describes the Flow Collector configuration parameters:
Table 1. Flow collector configuration parameters
Parameter Description
Maximum Content Capture Specify the maximum amount of data (bytes per packet) that you want the Flow Collector to capture and retain in the flow payload.
Maximum Data Capture/Packet Specify the maximum amount of data (bytes per packet) that you want the Flow Collector to analyze.
Flow buffer size Specify the maximum number of flows that can be buffered in memory.
Maximum Number of Flows Specify the maximum number of flows that you want to send from the Flow Collector to a Flow Processor within a 1 minute interval.
Alias Autodetection Set to Yes to allow QRadar to auto-detect flow sources.

With auto-detection turned on, QRadar can automatically create flow source aliases for external flow sources, such as routers.

Remove duplicate flows Set this to Yes if you want the Flow Collector to remove duplicate flows.

If you have asymmetric traffic in your network, set this parameter to No.

Verify NetFlow Sequence Numbers Set this to Yes if you want the Flow Collector to check the incoming NetFlow sequence numbers to ensure that all packets are present and in order.

QRadar displays a notification if a packet is missing or received in incorrect sequence.

External Flow De-duplication method Choose the method that you want to use to remove duplicate external flows.
  • Select Source to compare the originating flow sources.

    This method compares the IP address of the device that exported the current external flow record to the IP address of the device that exported the first external record of the flow. If the IP addresses do not match, the current external flow record is discarded.

  • Select Record to compare the individual external flow records.

    This method logs a list of every external flow record that is detected by a device, and compares each subsequent record to that list. If the current record is found in the list, the record is discarded.

    If you choose this method, you must also set the External flow record comparison mask parameter.

Flow Carry-over Window Specify the number of seconds that the QFlow process holds one-sided flows. The default setting is 6 seconds.

This setting allows time for QRadar to receive the flow response. Flows that fall within the carry-over window are not sent until the next reporting interval.

External flow record comparison mask Specify the method to use to compare external flow records.

This parameter is valid only if you chose Record as the method to use for external flow De-duplication.

You can choose which flow record fields are to be used when comparing external flow records:
  • D (Direction)
  • B (ByteCount)
  • P (PacketCount)
You can combine the flow record fields to include the following combinations:
  • The DBP option uses direction, byte count, and packet count.
  • The XBP option uses byte count and packet count.
  • The DXP option uses direction and packet count.
  • The DBX option uses direction and byte count.
  • The DXX option uses direction.
  • The XBX option uses byte count.
  • The XXP option uses packet count.
Create Super Flows Set this to Yes if you want QRadar to group flows that have similar properties into one flow record
Type A Superflows (Network Scan) Specify the threshold to be reached before QRadar creates a Type A (one to many) superflow.
Type B Superflows (DDos) Specify the threshold to be reached before QRadar creates a Type B (many to one) superflow.
Type C Superflows (Port Scan) Specify the threshold to be reached before QRadar creates a Type C (one to one) superflow.
Recombine Asymmetric flows Set this to Yes if you want QRadar to recombine asymmetric flows.
Ignore Asymmetric Superflows Set this to Yes if you want QRadar to create superflows when asymmetric flows are enabled.
Use Common Destination Port Set this to Yes if you want QRadar to determine whether to reverse the flow direction.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems, and select the Flow Collector that you want to configure.
  4. On the Deployment Actions menu, click Edit Host.
  5. Click the gear icon next to Component Management.
  6. Edit the configuration options and click Save.
  7. Repeat the configuration steps for each Flow Collector in your deployment.
  8. Close the System and License Management window.
  9. Deploy your changes.
    This will restart the QFlow process on every managed host that you modified.