IBM Support

QRadar: Common messages and errors from the QRadar flow pipeline

Question & Answer


Question

What are some common messages and errors from the QRadar flow pipeline?

Cause

The QRadar flow pipeline has a set of descriptive error messages that can indicate possible network and performance issues. Below is a list of the common messages and their possible causes, and what to look for to verify these issues.

Answer

QFlow - no flows being generated

The QFlow flow collector will generate flow data from raw packets collected on monitor ports (from spans, taps and monitor sessions), or external flow sources such as netflow, sflow, jflow, etc. This data is then converted to QRadar flow format and sent down the pipeline for processing.

Sep  7 13:03:54 qradar [16636] qflow0: [INFO]     : Interval 1283878560: 0 flows (0 bundles (0), 0 NP, 0 CO, 0 OF) 0 bytes, 0 packets
Sep  7 13:04:54 qradar [16636] qflow0: [INFO]     : Interval 1283878620: 0 flows (0 bundles (0), 0 NP, 0 CO, 0 OF) 0 bytes, 0 packets

Resolution for versions 7.1 through 7.2.6



If your qflow process is not generating any flow data , you should check your data sources using tcpdump and router configurations, to verify if data is being collected. You should also check the "Flow Sources" configuration in the Admin tab in QRadar to verify that you have properly setup your flow sources.

(see example)


_____________________________________________________


Resolution

When this occurs and you determine that this qflow process is not going to receive any data, you should remove this process from your deployment editor.

(see example)




If there should indeed be data coming in from that particular qflow process, review the resolution steps above in the qflow component.




Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

1247

Document Information

Modified date:
16 June 2018

UID

swg21622511