IBM QRadar

I've configured the Qualys app but I'm getting the following error for Host Detection "Socket connection on port 12468 configured for QualysMultiline log source is refused. Please refer the app user guide. Error while connecting to socket: [Errno 110] Connection timed out"

The documentation says "This error occurs when the Listen port is not LISTENING. You need to do the Deploy Full Configuration on QRadar box to resolve this issue." but this does not solve the issue.

I can see the iptable was updated as well - Adding firewall rule on host: 192.168.12.142, protocol: TCPMultilineSyslog, port: 12468, transProtocol: TCP, rule: -A QChain -m state --state NEW -m tcp -p tcp --dport 12468 -j ACCEPT

Any suggestions how to resolve this?

did you check 12468 on the target eventcollector whether it is opened or not? If not, then do a full deploy configuration and after that also if the port is not in LISTEN state, then you might want to restart ecs-ec-ingress service.

Note: restarting ecs-ec-ingress service is the event collection service and until the service comes up, there will be a disruption in the event collection service for that brief period during restart.

After doing the above steps, if you are not seeing the port in LISTEN state, then you can open up a support ticket with IBM.

Important: (before opening up support ticket with IBM)

1. if you see the port 12468 in LISTEN state and you are able to reach to the target event collector over port 12468 from within the container and still the Qualys app is complaining about the port then DO NOT open support ticket with IBM rather open support ticket with app vendor (Qualys).

Hi Stephen,

how did you solve this issue?

Regards,

Ralph