Question & Answer
Question
How do I add a QFlow or VFlow appliance to my QRadar deployment?
Answer
- Log in to the QRadar Web User Interface.
- Click Admin tab > System and License Management > Deployment Actions > View Deployment.
- Once in View Deployment, verify that the Qflow component is connected to the Event Collector.
Flow sources created and assigned?
- Click on the Admin tab > Flow Sources icon.
- If no flow sources are configured for that particular Qflow component, it will not have any sources to report data to the Network Activity tab.
- When you add a QFlow Collector managed host, it will create multiple Flow Sources by default. One for each additional interface other than eth0 or the default QRadar 7.3 predictable Network Interface en[s|p|o|x]<interface number>, as well as high-speed Napatech card.
QRadar 7.3.x
QRadar 7.2.x
- If the Interface does not exist, then you will need to create it. See examples above.
- From the menu bar click Deploy Changes.
Note: If a qflow component exists with no Flow Sources assigned, you will see Dashboard System notifications that the process has failed to start X times. The qflow process will exit if no Flow Sources are assigned, and the hostcontext service will continually try to restart it.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 August 2018
UID
swg21677864