Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Verifying that the Network Insights Appliance is Sending Data to the Flow Processor

SUMMARY Follow these steps to verify that the Network Insights appliance is sending IPFIX records to the flow processor in your deployment.

Ensure that the flow source was added, enabled, and that the changes were deployed. For more information, see Flow Sources.

Verify that the Network Insights appliance is receiving raw packet data.

  1. Verify that the flow source is added and enabled in JSA.
    1. Log in to the JSA console as an admin user.
    2. On the Admin tab, click Flows > Flow Sources.
    3. Verify the flow source settings and ensure that the Enabled column is set to true.
    4. Repeat the procedure for each Network Insights managed host.
    5. If you changed the flow source configurations, on the Admin tab, click Deploy Changes.
  2. Verify that the flows are being received.
    1. Use SSH to log in to the JSA Console.
    2. Type the following command:
      tailf /var/log/qradar.log | grep qflow

      Messages like this one indicate that the Flow Processor is not receiving any flows from Network Insights:

      IPFIX Flow Source Stats for <my_dtls_flow_source_name>: received and processed 0 packets

      Messages like this one indicate that flows are being received:

      IPFIX Flow Source Stats for <my_dtls_flow_source_name>: received and processed 12345 packets
  3. If flows are not being received, check that the Network Insights managed host is configured correctly.
    1. On the Admin tab, click System and License Management.
    2. Select the Network Insights managed host that is not sending flow data.
    3. Click Deployment Actions > Edit Host Connections.
    4. Select the flow processor that you want your Network Insights appliance to send flow data to, and click Save.
    5. Configure the Network Insights managed host, and then click Save.
    6. On the Admin tab, click Advanced > Deploy Full Configuration.
    7. Repeat the previous steps to verify that the flows are being received.
On the JSA Console, click the Network Activity tab to see the flow records.