IBM Support

QRadar: No sFlow traffic seen in Network Activity

Troubleshooting


Problem

The sFlow traffic is received by the QRadar host when you check with Tcpdump, but there is no traffic seen in Network Activity on QRadar GUI.

Cause

The cause can be either or a combination of the two:
  1. If the sFlow is received on a flow collector (FC), then the FC might not be configured to pass the traffic to the correct flow processor (FP) or console for processing.
  2. SFlow traffic doesn't contain correct information in order to be processed.

Diagnosing The Problem

If you suspect that the cause is that the flow collector is not configured to pass the traffic to the correct FP or console, you can check the file /opt/qradar/conf/nva.qflow.qflow*.conf for parameter "FLOW_SERVERS". The file must contain the IP address for the FP or the console.
Note: Do not manually edit this file.
Example:
[root@qr750 ~]# grep "FLOW_SERVERS" /opt/qradar/conf/nva.qflow.qflow0.conf
FLOW_SERVERS=10.10.218.220:32010
[root@qr750 ~]#
If the issue persists, the sFlow traffic might not contain the correct information to be processed, it's best to capture a pcap and review it.

Resolving The Problem

Incorrect flow processor configuration
Steps for checking your configuration:
  1. Log in to QRadar GUI.
  2. Switch to the Admin Tab.
  3. Open System and License Management.
  4. Select the affected FC.
  5. From Deployment actions, click Edit Host connection from drop-down menu.
  6. A new window opens with a drop-down menu with eligible hosts to be selected.
  7. Select the correct host to process these flows.
Incomplete sFlow data
If the sFlow traffic doesn't contain the correct information, we suggest that you perform a packet capture to examine the data: 
tcpdump -nnAs0 -i any udp and port 6343 -c 500 -w /root/sflow.pcap
The issue is likely caused by sFlow traffic which contains metadata and counters, but no actual flow- or Ethernet data. Therefore, these flows are not processed as they don't contain the required information.
Compare your results from examining the pcap with the following reference documentation:

In such case, the switch administrator must confirm if sFlow is configured according to https://sflow.org/about/index.php and https://sflow.org/sflow_version_5.txt and whether sFlow samples are included or not.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Gnc5AAC","label":"QRadar-\u003EFlows"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 December 2023

UID

ibm16176091