IBM QRadar

Did an upgrade from 7.3.2.6 to 7.4.0.3. It looks like the e-mail server has stopped working on the console. The reports stopped sending through e-mail, as well as the rules. I'm the only one facing this issue?

In QRadar 7.4.0, a new email server update was added to support Secure SMTP. There isn't much to go on here in this post, but I would review your configuration in the UI and look at /var/log/qradar.log for SMTP messages.

You could confirm that your email server is configured properly. Or, you might want to collect log files and open a case if you do not see any issues. I normally grep for EmailDestination when I'm looking at logs, but a support rep could also do this for you in your case.

The types of messages you would want to look for on the Console: [type=com.eventgnosis.system.ThreadedEventTerminator][parent=<ConsoleIP>:ecs-ep/EP/EmailDestination]] com.q1labs.sem.util.EmailSender: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception attempting to send email: Sending the email to the following server failed : localhost:25

I'm not aware of any email server issues in your specific QRadar version, but this probably needs a case to do an investigation if your configuration in the UI is correct. We have seen issues where customers with an All-in-One appliances where they add Event Collectors that the SMTP settings did not get replicated over properly. Or it could also be to an issue where the SMBTail protocol could bind up all available ports and prevent the EmailDestination from being able to send the message. This was an issue that we were not able to reproduce the SMBTail problems in our lab. So, I think having a case created to confirm what is in the logs will help. You could try to restart ecs-ep as described in IJ16965, but the logs will tell us more and we'd be able to give more advice.

https://www.ibm.com/community/qradar/home/apars/?IJ16965

Let us know if you have follow-up questions.

So my setup was very simple, I was using the localhost configuration as a mail service, I did not have anything else configured then just the default e-mail server and everything was running smooth, all the e-mails wore send for events, for reports, all good. after the update, nothing.

I did a grep for EmailDestination in qradar.log as well as in qradar.error but nothing returned.

I did though find some logs in the maillog logs. The e-mail looks to be deferred "status=deferred (mail for localhost loops back to myself)" there looks to be a "warning: relayhost configuration problem". Upon checking the /etc/postfix/main.cf file, I see that the relayhost = [localhost]:25 is defined. The problem is that anytime I edit the file and restart the postfix, the file returns back to the initial state. Any thoughts on this?

Support Member, Looks like, that after the upgrade the relay in the postfix configuration file is updated as [localhost]:25. This caused the e-mail to be deferred.

Seen the issue on two different upgraded env. to 7.4.0.3 for different patched 7.3.2 and 7.3.3

Thanks,

George.