IBM QRadar

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------

Hi John,

The collector is successfully added to the console and it's showing active in console. I am trying to send logs from my windows machine but its showing connection failed for the tcp 514. This is the output i am receiving when i am doing netstat on collector.

[root@ec1 ~]# netstat -nlp | grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      27966/syslog-ng
udp6       0      0 :::514                  :::*                                20641/java
udp6       0      0 :::1514                 :::*                                27966/syslog-ng
unix  2      [ ACC ]     STREAM     LISTENING     1395514  26639/master         private/discard
[root@ec1 ~]#

------------------------------
Hamdan Shakeel

Original Message:
Sent: Thu September 11, 2025 05:29 AM
From: John Dawson
Subject: IBM QRadar Node License Issue

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------

Hi John,

Any feedback on shared details and put?

Hi John,

The collector is successfully added to the console and it's showing active in console. I am trying to send logs from my windows machine but its showing connection failed for the tcp 514. This is the output i am receiving when i am doing netstat on collector.

[root@ec1 ~]# netstat -nlp | grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      27966/syslog-ng
udp6       0      0 :::514                  :::*                                20641/java
udp6       0      0 :::1514                 :::*                                27966/syslog-ng
unix  2      [ ACC ]     STREAM     LISTENING     1395514  26639/master         private/discard
[root@ec1 ~]#

------------------------------
Hamdan Shakeel

Original Message:
Sent: Thu September 11, 2025 05:29 AM
From: John Dawson
Subject: IBM QRadar Node License Issue

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------

Hi Hamdan

Are you receiving health metrics from the EC?

What logs are you trying to send?

Have you configured a TCP syslog logsource for this EC?

From the above I can see that it is listening on port 514 for UDP.

Thanks

Hi John,

Any feedback on shared details and put?

Hi John,

The collector is successfully added to the console and it's showing active in console. I am trying to send logs from my windows machine but its showing connection failed for the tcp 514. This is the output i am receiving when i am doing netstat on collector.

[root@ec1 ~]# netstat -nlp | grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      27966/syslog-ng
udp6       0      0 :::514                  :::*                                20641/java
udp6       0      0 :::1514                 :::*                                27966/syslog-ng
unix  2      [ ACC ]     STREAM     LISTENING     1395514  26639/master         private/discard
[root@ec1 ~]#

------------------------------
Hamdan Shakeel

Original Message:
Sent: Thu September 11, 2025 05:29 AM
From: John Dawson
Subject: IBM QRadar Node License Issue

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------

Hi John,

I am not receiving anything from the event collector on console and event collector logsoure is showing not available on the console. I installed wincollect on one machine and its showing connection failed / timedout and when i tried test connection its showing connection timedout / failed. I don't have any firewall or security solution inbetween and both the devices (windows machine & event collector) are in same network. Also according to the below output its showing udp6 is listening, Is it normal behavior?

I have 4 other event collectors connected with  console from different customers and i never faced this issue. Please help to resolve.

Regards

Hamdan

Hi Hamdan

Are you receiving health metrics from the EC?

What logs are you trying to send?

Have you configured a TCP syslog logsource for this EC?

From the above I can see that it is listening on port 514 for UDP.

Thanks

Hi John,

Any feedback on shared details and put?

Hi John,

The collector is successfully added to the console and it's showing active in console. I am trying to send logs from my windows machine but its showing connection failed for the tcp 514. This is the output i am receiving when i am doing netstat on collector.

[root@ec1 ~]# netstat -nlp | grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      27966/syslog-ng
udp6       0      0 :::514                  :::*                                20641/java
udp6       0      0 :::1514                 :::*                                27966/syslog-ng
unix  2      [ ACC ]     STREAM     LISTENING     1395514  26639/master         private/discard
[root@ec1 ~]#

------------------------------
Hamdan Shakeel

Original Message:
Sent: Thu September 11, 2025 05:29 AM
From: John Dawson
Subject: IBM QRadar Node License Issue

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------

Hi Hamdan

I would suggest you open a support case so the logs can be analysed to see what the issue is.

Thanks

Hi John,

I am not receiving anything from the event collector on console and event collector logsoure is showing not available on the console. I installed wincollect on one machine and its showing connection failed / timedout and when i tried test connection its showing connection timedout / failed. I don't have any firewall or security solution inbetween and both the devices (windows machine & event collector) are in same network. Also according to the below output its showing udp6 is listening, Is it normal behavior?

I have 4 other event collectors connected with  console from different customers and i never faced this issue. Please help to resolve.

Regards

Hamdan

Hi Hamdan

Are you receiving health metrics from the EC?

What logs are you trying to send?

Have you configured a TCP syslog logsource for this EC?

From the above I can see that it is listening on port 514 for UDP.

Thanks

Hi John,

Any feedback on shared details and put?

Hi John,

The collector is successfully added to the console and it's showing active in console. I am trying to send logs from my windows machine but its showing connection failed for the tcp 514. This is the output i am receiving when i am doing netstat on collector.

[root@ec1 ~]# netstat -nlp | grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      27966/syslog-ng
udp6       0      0 :::514                  :::*                                20641/java
udp6       0      0 :::1514                 :::*                                27966/syslog-ng
unix  2      [ ACC ]     STREAM     LISTENING     1395514  26639/master         private/discard
[root@ec1 ~]#

------------------------------
Hamdan Shakeel

Original Message:
Sent: Thu September 11, 2025 05:29 AM
From: John Dawson
Subject: IBM QRadar Node License Issue

Hi Hamdan

Is the EC listening on 514 for UDP?  If so do you have any TCP syslog logsources defined for that EC?

Are there any logs coming to the console for the EC?  Has the EC been added to the deployment and connected to a console or EP?

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Wed September 10, 2025 07:03 PM
From: Hamdan Shakeel
Subject: IBM QRadar Node License Issue

Dear Team,

I installed event collector and on event collector tcp 514 is not listening when i did the netstat and i believe all my 22 node licenses are consumed. Now i want to delete one old event collector and want to assign that event collector node license to the new event collector. Please let me know if i remove that event collector from console then the node license will free up automatically or i have to clear from backend and if yes then what will be the steps to cleanup from backend and free that node license.Please help me with immediate support.

Regards

Hamdan Shakeel

------------------------------
Hamdan Shakeel
------------------------------