IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Not listening for syslogs on 514 port

    Posted Mon February 22, 2021 10:24 AM

    I installed a fresh QRadar community, and have configured a syslog event source.

    But QRadar is not listening on the 514 port (no TCP nor UDP)

    Do you have any idea ?

    Here is the output of netstat:

    [root@localhost ~]# netstat -nlp|grep 514
    tcp6       0      0 :::1514                 :::*                    LISTEN      24177/syslog-ng
    udp6       0      0 :::1514                 :::*                                24177/syslog-ng

    Many thanks for your help !



    ------------------------------
    Francois Ihry
    ------------------------------


  • 2.  RE: Not listening for syslogs on 514 port
    Best Answer

    Posted Mon February 22, 2021 01:32 PM
    Hi Francois,

    you have to apply this fix first:

    if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi


    Details here:
    https://www.ibm.com/support/pages/node/6395080

    Regards,
    Ralph


    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 3.  RE: Not listening for syslogs on 514 port

    Posted Tue February 23, 2021 03:08 AM
    Thank you Ralph, it was exactly that.

    ------------------------------
    Francois Ihry
    ------------------------------