Troubleshooting
Problem
The sFlow traffic is received by the QRadar host when you check with Tcpdump, but there is no traffic seen in Network Activity on QRadar GUI.
Cause
The cause can be either or a combination of the two:
- If the sFlow is received on a flow collector (FC), then the FC might not be configured to pass the traffic to the correct flow processor (FP) or console for processing.
- SFlow traffic doesn't contain correct information in order to be processed.
Diagnosing The Problem
If you suspect that the cause is that the flow collector is not configured to pass the traffic to the correct FP or console, you can check the file /opt/qradar/conf/nva.qflow.qflow*.conf for parameter "FLOW_SERVERS". The file must contain the IP address for the FP or the console.
Note: Do not manually edit this file.
Example:
Note: Do not manually edit this file.
Example:
[root@qr750 ~]# grep "FLOW_SERVERS" /opt/qradar/conf/nva.qflow.qflow0.conf
FLOW_SERVERS=10.10.218.220:32010
[root@qr750 ~]#
If the issue persists, the sFlow traffic might not contain the correct information to be processed, it's best to capture a pcap and review it.
Resolving The Problem
Incorrect flow processor configuration
Steps for checking your configuration:
Steps for checking your configuration:
- Log in to QRadar GUI.
- Switch to the Admin Tab.
- Open System and License Management.
- Select the affected FC.
- From Deployment actions, click Edit Host connection from drop-down menu.
- A new window opens with a drop-down menu with eligible hosts to be selected.
- Select the correct host to process these flows.
Incomplete sFlow data
If the sFlow traffic doesn't contain the correct information, we suggest that you perform a packet capture to examine the data:
tcpdump -nnAs0 -i any udp and port 6343 -c 500 -w /root/sflow.pcap
The issue is likely caused by sFlow traffic which contains metadata and counters, but no actual flow- or Ethernet data. Therefore, these flows are not processed as they don't contain the required information.
Compare your results from examining the pcap with the following reference documentation:
- InMon sFlow and its information: https://sflow.org/developers/diagrams/sFlowV5Datagram.pdf
- Flow sample: https://sflow.org/developers/diagrams/sFlowV5Sample.pdf and https://sflow.org/developers/diagrams/sFlowV5FlowData.pdf
- Expanded counters sample: https://sflow.org/developers/diagrams/sFlowV5CounterData.pdf
In such case, the switch administrator must confirm if sFlow is configured according to https://sflow.org/about/index.php and https://sflow.org/sflow_version_5.txt and whether sFlow samples are included or not.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Gnc5AAC","label":"QRadar-\u003EFlows"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
18 December 2023
UID
ibm16176091