IBM Security QRadar

 View Only
  • 1.  QRadar Collector not listening to ports 514 and 8413

    Posted Tue October 15, 2019 10:03 AM
    Hello everyone, 
    I just installed a QRadar collector as a managed host. The deployment gone well, however I notice that the collector is not listening to these ports : 514 and 8413.
    Both hosts have the same version.
    Any help ? @JONATHAN PECHTA

    ------------------------------
    Famara Attout Bodian
    ------------------------------


  • 2.  RE: QRadar Collector not listening to ports 514 and 8413

    Posted Fri October 25, 2019 07:56 AM
    Hi @Famara Bodian,

    Sometimes just restarting the box helps. As the ports are not open, you would not be receiving events on 514 so safe to restart the box I would say.
    Let mew know if it helps :)

    Chinmay Kulkarni​

    ------------------------------
    Chinmay Kulkarni
    ------------------------------



  • 3.  RE: QRadar Collector not listening to ports 514 and 8413

    Posted Fri October 25, 2019 08:47 PM
    Hello @Chinmay Kulkarni,
    Yes I already did that.  I was told the problem is that we didn't purchased software node, so Our Software install of QRadar Collector won't work
    Thanks


    ------------------------------
    Famara Attout Bodian
    ------------------------------



  • 4.  RE: QRadar Collector not listening to ports 514 and 8413

    Posted Fri October 25, 2019 06:28 PM

    @Famara Bodian

    Sorry for the delay, we don't keep a close eye on these forums like we do the official support forums and I was also on the road training new support reps. For future reference, best to ask any WinCollect / technical questions here: https://ibm.biz/wincollectforums and include the qradar and wincollect tags for visibility to support and development. ​If you ever need to reach out too, you can always drop me a direct email: jonathan.pechta1@ibm.com as I get a LOT of forum pings and the occasional email helps me prioritize questions / discussions. 

    I wonder if services are running properly on that Event Collector. QRadar should always be listening on 514 on all interfaces, both TCP and UDP. A netstat can confirm, but if they are not listening, then you should get a case opened. I don't know what netstat says, but is it listening? 

    Run: netstat -nlp | grep 8413 to confirm. The status should be LISTEN

    Usually the best way to validate if 8413 communicating to your agent is to look at the Windows side. If you move/rename C:\Program Files\IBM\WinCollect\config\ConfigurationServer.PEM to ConfigurationServer.old and refresh the system should immediately send you a new PEM file when you press F5 in Windows Explorer. If you don't see a PEM file regenerated, then there is an issue likely on the WinCollect Agent side where something does not line up as expected. 

    If there are communication errors or you don't see ConfigurationServer.PEM recreated immediately, the agent cannot likely talk. You will see messages like this in the logs in C:\Program Files\IBM\WinCollect\logs\WinCollect.log

    03-10 03:02:05.845 ERROR SRV.Code.SSLTCPRawSocket.xx.xx.xx.xx:8413 : Cannot connect to server -- Error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

    This ^^ error message indicates that something is being blocked because the QRadar appliance never responded. 

    You can always test using tmpdump to validate if the Agent is attempting to talk on port 8413 as well or if something is being blocked in the network. This is best to do with a support rep, but be aware that it will cause a data outage.

    1. Log in to the QRadar Console using the root user.

    2. Open an SSH session to the Event Collector appliance.

    The ecs-ec-ingress service takes all data off of the wire, listens for connections, and should be listening for connections on 8413. Be aware that this will cause a 5-10 second event collection outage on that appliance while ecs-ec-ingress restarts. 

    3. During a maintenance window or with a support rep, type the following command to restart ecs-ec-ingress: systemctl restart ecs-ec-ingress

    4. Run a TCP dump command with the IP of your Windows host to see if it is generating packets on 8413. For example, type: tcpdump -nnAs0 -c 2 -i eth0 host {WinCollectAgentIP} and port 8413

    Where {WinCollectAgentIP} is the IP address of the Windows host that has the WinCollect agent installed. 

    Results

    If you aren't seeing packets, then this means that the WinCollect agent is not attempting to communicate, meaning that either the WinCollect Service (WinCollectSvc.exe) or that the WinCollect.exe (WinCollect Agent) is not operating as expected.  

    Another good check is to verify that the Console isn't set to be encrypted to itself. This isn't your issue, but since a number of users have been hitting this lately I thought I'd add it here. To check if you have your Console encrypted to itself is a good check because it can prevent agents from discovering properly: 

    1. Log in to the QRadar user interface and click the Admin tab.

    2. Open the System & License Management tab.

    3. From the Display drop-down, select Systems.

    4. Select your Console appliance. 

    5. Click Deployment Actions > Edit Host.

    6. If the Encrypt Host Connections selected, you must clear the check box. For example:

    Console encrypted to itself when this box is checked in the Deployment settings.

    The Console should not have this option set as it can prevent agents from registering. We are looking to change this for the Console in a future release so it cannot be selected, but this is basically telling the Console to encrypt connections to itself, which is unnecessary. 

    7. Click Save

    I'm not sure what your status is, but the WinCollect.log on the Windows host will give the best details, but if you see tcpdump packets coming in on 8413, you are going to want to run ./opt/qradar/support/get_logs.sh on that Event Collector and let us take a look. 

    I know I"m late to the party, but I hope this helps other users who come across this info. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 5.  RE: QRadar Collector not listening to ports 514 and 8413

    Posted Fri October 25, 2019 06:31 PM
    Hey Jonathan,

    Just curious, I did answer on the forum, did I do something wrong where it didn't show up?





    On Fri, Oct 25, 2019 at 6:28 PM -0400, "Jonathan Pechta via IBM Community"





  • 6.  RE: QRadar Collector not listening to ports 514 and 8413

    Posted Fri October 25, 2019 08:31 PM
    Hello @Jonathan Pechta
    I got a reply Richard gingras.  He told me the problem is because we didn't purchased software node, so Our Software install of QRadar Collector won't work.
    best regards




    ------------------------------
    Famara Attout Bodian
    ------------------------------