QRadar XDR

Expand all | Collapse all

Span traffic not seen on Qradar Console

  • 1.  Span traffic not seen on Qradar Console

    Posted Mon October 25, 2021 05:14 AM
    Dear Experts,

    I have a qradar deployment with qradar console plus FP, i connected a SPAN port to my FP.

    I could see SPAN traffic from the console web UI by filtering for the flow interface that has the SPAN port. However, I cant see any span traffic from the console web ui anymore.

    I ssh into the FP, and ran a tcpdump command on the interface receiving the span traffic, and i could see traffic, but not on the console web UI "Network activity" tab.

    Restarted the qflow on both console and FP, disabled and re-enabled the span interface on the FP, yet issue persists. 

    Kindly assist, if you have faced this issue and resolved it.

    ------------------------------
    benlinux
    ------------------------------


  • 2.  RE: Span traffic not seen on Qradar Console

    Posted Mon October 25, 2021 11:28 AM
    Hi Ben,
    there are multiple reasons why network traffic may be broken. The most common reason is a failure on the port config of your network device, e.g. wrong type or switch port. However when you can see traffic coming in via tcpdump it should be o.k. Just make sure that monitor type is configured for your span interface on your FP. If you want to make sure that mirror traffic can be processed at all, just make your console management interface an additional monitor interface, Flow source type = network interface. Never seen that fail and your mirror data is generated independantly from your network device config. In rare cases the traffic coming in is not correctly processed because of version mismatch with the default flow traffic definition table inside QRadar. I have seen this fail on a firewall sending wrong version of IPFIX trafffic to qradar. So even if traffic is coming in there is no guarantee it can be processed by the service process. Please make sure you have collected all support files and checked them for errors. If desperate open a case with IBM.
    BR Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------