Ok if you don't see it in netstat at all then that also eliminates the possibility that you have a different listener using 12469.
As Ian suggested, you could check /var/log/qradar.error aroudn the time when you first deployed the log source to see if there are any errors which give an indication of the problem.
If not, it's possible that restarting the ecs-ec-ingress service may solve the problem. You should not have to do this, it will cause a small amount of event loss if you have other event data streams being pushed to QRadar so I wouldn't recommend it on a production system but if you're just testing things out you could try it. Run this command from the CLI/shell:
systemctl restart ecs-ec-ingress
Alternatively you could log a support ticket to get one of our L2 people engaged
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Mon May 31, 2021 12:27 PM
From: Nitesh Sinha
Subject: HTTP Receiver port not opened after Log source configuration
Hi Colin,
I am using "all-in-one" single system.
Yes, I did netstat but did not find the port listed.
Nitesh
------------------------------
Nitesh Sinha
Original Message:
Sent: Mon May 31, 2021 10:30 AM
From: COLIN HAY
Subject: HTTP Receiver port not opened after Log source configuration
Hi Nitesh,
I don't think QRadar 7.4.1 has a general problem with this and the AWS image should be the exact same application code, but it's possible that there are other aspects of the AWS environment blocking the traffic. Are you certain that the port is not open at the host level? Have you run netstat from the command line to confirm the port is not active, or is it possible that the traffic is being blocked by something between the sender and the QRadar machine?
Another question: is this a multi-system deployment of QRadar, or an "all-in-one" single system? If it's a multi-system deployment, check the "Target Event Collector" field of your log source configuration and verify that it is the machine you're trying to send to. The port will only be opened on the host to which the log source is assigned.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Fri May 28, 2021 08:24 AM
From: Nitesh Sinha
Subject: HTTP Receiver port not opened after Log source configuration
Thank you Colin for your response!
I have done "Deploy Changes" multiple times but the port does not start, after saving the log source with HTTP receiver protocol.
Not sure whether this is an issue with QRadar v741 itself or with the QRadar v741 image available in the AWS marketplace for the subscription.
Any other thing I can do?
------------------------------
Nitesh Sinha
Original Message:
Sent: Fri May 28, 2021 07:59 AM
From: COLIN HAY
Subject: HTTP Receiver port not opened after Log source configuration
Hi Nitesh,
First thing to verify is if you did a deploy (Admin tab > Deploy Changes). This is required to both activate the log source (so Java binds a listener to the specified port) and to update the iptables rules to allow access to that port.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Thu May 27, 2021 11:41 AM
From: Nitesh Sinha
Subject: HTTP Receiver port not opened after Log source configuration
I subscribed to the QRadar 741 image on AWS.
Then I configured a new Log source with Protocol Type as "HTTP Receiver". Used the default post of 12469. But the port 12469 does not open when I created the Log source. Due to this, I am unable to send data over HTTP to QRadar. Please advise.
------------------------------
Nitesh Sinha
------------------------------