Exploring flow data
Flows are different from events. Flow data is the information of the session between two hosts. For example, if an employee logs in at 9 a.m. and starts using social media, QRadar can capture these session details between the employee’s machine and the social media site. This is done by capturing the network traffic from the span port of a switch. There are different types of flows, which we will discuss in detail later in Chapter 4. Flow data can be viewed in the Network Activity tab on the QRadar UI, as shown in the following screenshot:
Figure 1.2 – Network Activity tab
Similar to an Event Processor, we have a Flow Processor and Flow Collector for flow data. Let’s discuss them in detail next.
Flow Processor
Like the Event Processor, the Flow Processor is another managed host that collects and processes flow data. It has an ariel database where the flow data is stored, and it can be queried using the same mechanism as discussed for the Event Processor.
For the Event Processor, we had ecs-ec-ingress, which collected event data. But for the Flow Processor, we have the qflow service, which collects flows and then sends them to ecs-ec and ecs-ep for further processing and storage.
Important services running on the Flow Processor are as follows:
hostcontext: For the Flow Processor, the'COMPONENT_PROCESSES'parameter in the/opt/qradar/conf/nva_hostcontext.conffile has different values than in the Event Processor.qflow: This service is responsible for collecting the flows. The Flow Processor does NOT have theecs-ec-ingressservicehostservices: Same as in the Console.
Important note
A single managed host can act as both an Event Processor and Flow Processor. For this to happen, you need to choose the correct option while installing. Usually, on enterprise-level deployments, Event Processors and Flow Processors are kept separate.
Flow Collector
Like an Event Collector, a Flow Collector is used to collect flow data, analyze it, and send it to the Flow Processor or Console for processing.
The Flow Collector has a special service like Flow Processor called qflow, which collects flows. Flow sources are defined on the QRadar Console UI and then the configuration is pushed to managed hosts, thus the Flow Collector understands which flows need to be collected.
Important services running on the Flow Collector are as follows:
hostcontext: The subservices of thehostcontextservice are as follows:qflow– This service is responsible for collecting flowsecs-ec– This service is responsible for aggregating and analyzing flows
hostservices: Same as in the Console
Another important component usually used in huge deployments is the Data Node. Let's see why in the next section.
