IBM Support

QRadar: Monitor the number of Active TLS Syslog connections on QRadar.

Question & Answer


TLS Syslog protocols allow each configured port to accept 50 connections and up to 1000 in newer versions of the protocol, but is there an easy way to monitor the number of active connections?


TLS Syslog on older appliances can accept 50 connections per port. Using the newer TLS Syslog protocol you can now use 1000 connections per appliance. For example you can allocate these as 1000 connections per port, 500 on two ports or any other combination that equals 1000 connections on that appliance. Dropped TLS Syslog connections may be noticed by Administrators if they lost count of their Maximum Connections.


Procedure to view the number of active TLS Syslog connections

  1. SSH to the Console or Event Collector accepting the TLS Syslog connections.
  2. Run the command:
    netstat -np | grep -i ESTABLISHED | grep <TLS Syslog port> | cat -n

    Note: In this example the TLS Syslog port is 6514 which is the default. If you used a different port in your Log Source configuration replace it in the command:

3. Connections are listed in the first column and represent the count:

If the results are showing the count as the value configured in the Log Source for Maximum Connections, then you will need to increase it. If you have reached the 1000 connection limit, you will need to configure a TLS Syslog Log Source on another QRadar appliance in order to accept additional connections.

Procedure to edit the number of active TLS Syslog connections

  1. Click Admin tab > Log Sources icon.
  2. Find the TLS Syslog Log source that was configured to accept connections on the port from the prior procedure.
  3. Edit the TLS Syslog Log Source and raise the Maximum Connections count.

Result: Your Maximum TLS Syslog Connection Limits can be monitored and adjusted on your appliance.

Note: The ability to modify Maximum Connections in a TLS Syslog Log Source was introduced on version 7.2.0-QRADAR-PROTOCOL-TLSSyslog-7.2-20151028074735.noarch.rpm of the protocol.
To verify the protocol version in your deployment meets or exceeds this requirement.
  1. SSH to the Console.
  2. Enter the command.
    yum list | grep -i tlssyslog

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 January 2021