Troubleshooting
Problem
Cause
By default, QRadar GUI under Admin > System Setting > QFlow Settings have two options under format - TLV or Payload. Sometimes a customer would like both formats enabled at the same time.
Note: not having option "TLV and Payload" is resolved in versions 7.3.2 and later.
Resolving The Problem
To enable both TLV and Payload formats, the parameter needs to be enabled:
- Log in to the Console by using an SSH session.
- Verify that the directory
/store/IBM_Supportexists:mkdir -p /store/IBM_Support - Backup
/opt/qradar/conf/nva.conf:cp -p /opt/qradar/conf/nva.conf /store/IBM_Support - Using vi editor open
/opt/qradar/conf/nva.conf:vi /opt/qradar/conf/nva.conf -
Locate the line
TEMPLATE_DATA_FIELD_ENCODING_TLV_PAYLOAD_ALLOWED=falseChange false to true:
TEMPLATE_DATA_FIELD_ENCODING_TLV_PAYLOAD_ALLOWED=trueNote: By default, this parameter is set to false.
-
Save the changes, press "Esc' on your keyboard. Then, write and quite with 'wq':
: wq -
Log in to the QRadar UI.
-
Click the Admin page.
-
During a maintenance schedule, click Advanced > Deploy Full Configuration.
Important: Deploy Full Configuration results in restarted services. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
Third format option is visible and located in System Settings > QFlow Format > TLV and Payload.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 July 2023
UID
ibm10881410