IBM Support

QRadar: How to enable TLV and Payload in QRadar 7.3.1



In QRadar 7.3.1, a feature was enabled to allow TLV or Payload formats. If both are required, how do you set QFlow to have both TLV and Payload formats?


By default, QRadar GUI under Admin  > System Setting > QFlow Settings have two options under format - TLV or Payload. Sometimes a customer would like both formats enabled at the same time.



Note: not having option "TLV and Payload" is resolved in versions 7.3.2 and later.


Resolving The Problem

To enable both TLV and Payload formats, the parameter needs to be enabled:

  1. Log in to the Console by using an SSH session.
  2. Verify that the directory /store/IBM_Support exists:
    mkdir -p /store/IBM_Support
  3. Backup /opt/qradar/conf/nva.conf :
    cp -p /opt/qradar/conf/nva.conf /store/IBM_Support
  4. Using vi editor open /opt/qradar/conf/nva.conf:
    vi /opt/qradar/conf/nva.conf
  5. Locate the line


    Change false to true:


    Note: By default, this parameter is set to false.

  6. Save the changes, press "Esc' on your keyboard. Then, write and quite with 'wq':

    : wq
  7. Log in to the QRadar UI.

  8. Click the Admin page.

  9. During a maintenance schedule, click Advanced > Deploy Full Configuration.
    Important: Deploy Full Configuration results in restarted services. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.

Third format option is visible and located in System SettingsQFlow FormatTLV and Payload.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS002132723","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1"}]

Document Information

Modified date:
31 July 2023