IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  TLS Port 6514 not listen

    Posted Thu April 08, 2021 04:06 AM

    Halo,

    Anyone know why port 6514 in QRadar not listen ? The documentation say it's listen by default.

    Thank you.

    Regards.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: TLS Port 6514 not listen
    Best Answer

    Posted Fri April 09, 2021 06:45 PM

    Normally, listen ports are not opened until a deploy is completed when you create a new log source for the appliance (Target Event Collector) field. If you are having deploy issues or your deploy was stuck, this could be the reason.

    What I'd do:

    1. If you have a maintenance window upcoming, try to complete a full deploy (Admin tab > Advanced > Deploy Full Configuration).
    2. If you continue to have issues, use SSH to connect to the QRadar Console as the root user.
    3. Open an SSH session to the appliance that is the Target Event Collector in the log source configuration.
    4. NOTE: This step temporarily stops event collect for a few seconds. To restart the ecs-ec-ingress service, type: systemctl restart ecs-ec-ingress
    5. Confirm the port is listening: netstat -an | grep -i 6415

    You could also look at /var/log/qradar.log to confirm there are not any errors. If you see the ecs-ec-ingress.ecs-ec-ingress service report NoClassefFoundError, this could indicate an install or path issue somewhere that wold require a support case. For example:

    [ecs-ec-ingress.ecs-ec-ingress] [3542fb4f-2f2a-45e1-bbda-c6ce049129bb/SequentialEventDispatcher] java.lang.NoClassDefFoundError: com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager [ecs-ec-ingress.ecs-ec-ingress] [3542fb4f-2f2a-45e1-bbda-c6ce049129bb/SequentialEventDispatcher] at com.q1labs.semsources.sources.tlssyslog.TLSSyslogSource.createProvider(TLSSyslogSource.java:76)

    These steps ^^ are the most common troubleshooting issue. If these do not work for you, you might want to confirm that there are no errors in the logs on that appliance.

    The LSM app will provide an SSL connection output as a success or failure. I was trying to add a screen cap, but the forum wouldn't let me. :(

    Optionally, you could try changing the port to 6515 and running a test in the Log Source Management app to see if it succeeds or fails.

    ----- LSM app output example -----

    X Testing SSL connection to [xxx.xxx.xx.x]

    Initiating SSL handshake to [xxx.xx.xx.x] on port [6515] with a timeout of 10000ms

    Error: Unable to connect to host on port [6515]: Connection refused (Connection refused)

    ----------------

    If none of these appear to work for you, you can open a case with QRadar Support and we can confirm through debug logs what the cause of the port listen issue.

    Similar post: https://www.ibm.com/mysupport/s/question/0D50z000062l3OOCAY/qradar-ce-not-listening-on-default-tls-syslog-port



    #QRadar
    #Support
    #SupportMigration


Related Content