IBM QRadar

Hi.

We have serious issues. Event collectors/processors stop sending logs to Console, port 514 on all servers is not in LISTEN mode. We checked almost everything : Network congfigurations, firewalls, Full configuration deployment, Restarting Web Servers, reconfiguring network configurations but it didn't help. Event collectors/processors, hostcontext, syslog-ng services are also started. Please, assist.

Support Member

Do you have your QRadar version? There is a known issue where the logs write a "Waiting for license..." issue in the collection service (ecs-ec-ingress). I would verify that you've run the command in this Flash Notice that went out to all users.

What to do:

1. Read this technical note: https://www.ibm.com/support/pages/node/6395080
2. Run the command with all_servers.sh in Step 2, command #1 on your Console appliance. This all_servers command will update all appliances in the deployment.
3. Wait a few minutes for the updates to take place.
4. Verify in the Log Activity tab that you see events.

I would start by running the command listed. If you continue to have issues, open a case and set it to Severity 1 / System down. If you need to escalate your case, request a Duty Manager here using this procedure: https://www.ibm.com/support/pages/node/571863

We use 7.2.8 version which is not supported anymore. Can we apply it in this version?

Yes. This defect is for all versions.

Check : https://www.ibm.com/support/pages/node/6395080