QRadar: All log sources are not collecting events after an upgrade

Troubleshooting

Problem

The ECS service might not listening on port 514 or any other major ports after an upgrade.

Symptom

You might find the following error message in the /var/log/qradar.log:

Error attempting to load DemoQRADAR.example.NET:ecs-ec/EC/Q1Labs_SyslogRedirect Error : java.lang.NoClassDefFoundError: com.q1labs.semsources.sources.utils.listener.tcp.ITCPSyslogListenerSubscriber

Cause

This happens when the option "Auto Restart Service" in the Auto Update page is disabled. By design, Protocols are not being installed when this option is disabled.

Resolving The Problem

To Resolve this issue use this procedure.

Log in to the QRadar User Interface.
Open the Admin settings:
1. In IBM Security QRadar V7.3.1, click the navigation menu , and then click Admin to open the Admin tab.
2. In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
Click AutoUpdates icon.
Click Get New Updates > Install All Updates.
Once this completes from the Admin page click Advanced > Restart Web Server.

To prevent the problem from reoccurring do the following.

From the Admin tab, click AutoUpdates icon > Change Settings.
Check the box to enable the Auto Restart Service > click Save.
Changes do not need to be Deployed.

Results: Log Sources are now collecting events.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Upgrade","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: All log sources are not collecting events after an upgrade

Troubleshooting

Problem

Symptom

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?