Hi All,

We are currently doing some testing for upgrades and was creating a temporary environment to simulate the production. Upon installing Qradar, we found that the port 8413 and 514 aren't running, even though we see Wincollect is present in the WebUI. There is nothing listening on these ports. Every WinCollect agent we installed was unable to communicate with the console, we have already open the ports from the agent side. Any advises or is there an extra steps needed to done?

Thank you.

Regards,

Nestaz

You could attempt to run the following command; however, I would recommend getting QRadar Support to assist with this issue so the problem can be confirmed.

Typically, when you cannot communicate on port 8413, it is due to a cert issue. The cert issue is the most common, but if you use the command: openssl s_client -connect localhost:8413 < /dev/null it should return cert information that you can confirm.

Sometimes these steps can help, but we recommend you contact support for assistance or at minimum make a backup copy of your keystore before running the command in step 3:

1. mkdir /root/IBM_support
2. mv /opt/qradar/conf/syslog-tls.keystore /root/IBM_support
3. /opt/qradar/bin/syslog_tls_import_cert.sh
4. Log in to the Console UI.
5. Click Admin > Advanced > Restart Event Collection Service. This restarts the ecs-ec-ingress. Optionally, you can do this from the command line using the systemctl restart ecs-ec-ingress

You could also try the following command: touch /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_WinCollectConfigServerProtocol.jar

If you continue to have issues, you might try reinstalling the latest WinCollect SFS on the Console.

If you are still stuck with this issue, you might need to contact support for further assistance.