IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

QRADAR 7.3.1 -agent Cannot connect to configuration server

  • 1.  QRADAR 7.3.1 -agent Cannot connect to configuration server

    Posted Tue February 11, 2020 09:21 AM

    Hi, i have an issues with QRadar 7.3.1 CE.  I installed Wincollect agent 7.2.9 on Window Server 2019 and got error on Wincollect logs - 
    02-11 02:53:06.364 ERROR SRV.Code.CertificateManager."ip": Cannot connect to configuration server (10057)
    02-11 02:53:11.364 INFO SRV.Code.CertificateManager."ip" : Attempting to retrieve the certificate from the configuration server


    1. try to telnet the Qradar port 514 working but 8413 not 
    2. check is tere any service listening the port with netstat -tulpn | grep 8413   command and  there is no service listening this port.  
    3. Encrypt host connection also unchecked



    ------------------------------
    Ramil Mammadov
    ------------------------------


  • 2.  RE: QRADAR 7.3.1 -agent Cannot connect to configuration server

    Posted Wed February 12, 2020 01:58 PM

    @Ramil Mammadov A few issues here. First, I would recommend that you post this in the support forum for WinCollect here: https://ibm.biz/wincollectforums for any future questions as it will give us better visibility going forward to your question. There is also a separate forum tag for QRadar CE questions help here, you are asking in a non-support forum currently: https://ibm.biz/qradarceforums.

    What to do

    You need to test if your Windows Server 2019 host can connect to QRadar. A standard PING test won't work as we disable ICMP by default in QRadar for security purposes. You can enable it, but here is how to test the connection from your Windows host:

    PS C:\Users\Administrator> Test-NetConnection -ComputerName {QRadar CE IP address} -Port 8413

    • If successful, you'll see: TcpTestSucceeded 
    • If it fails, you'll see: WARNING: Ping to xxx.xxx.xxx.xxx.xxx failed -- Status: TimedOut



    If you are still having issues, then do the following:

    On your QRadar CE system, complete an Admin > Advanced > Deploy Full Configuration. Wait for this to complete. After it is done, then do an Admin > Advanced > Restart Event Collection Service. This restarts ecs-ec-ingress, which contains all of the protocol code for listening for incoming events off of the wire. If this still doesn't resolve your issue, you might try added an IP tables rule to force port 8413 to listen. We have a support article on the process basics here: https://www.ibm.com/support/pages/qradar-how-edit-iptables-rules-qradar.

    If you still have issues after running through what I posted here, ask us in the WinCollect Support Forum (https://ibm.biz/wincollectforums) and we'll do our best to help.




    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


Related Content