Troubleshooting
Problem
A windows forwarder causes excessive number of messages to be received with an error "read failed, connection reset" are coming in from TCP syslog log sources.
Symptom
Look in /var/log/qradar.log for messages similar to:
Aug 28 11:00:56 127.0.0.1 [TcpSyslog(0.0.0.0/514) Protocol Provider Thread
: class com.q1labs.semsources.
sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider:
[INFO][NOT:0000006000][10.10.x.x/- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed,
connection reset from 10.10.x.x
Resolving The Problem
The excessive "read failed, connection reset" messages was the result of an administrator creating a TCP syslog forwarder by using a PowerShell script on a Windows™ server. These types of messages are common when TCP connections are created with each payload from a Log Source. Administrators need to ensure that each Log Source uses one Log Source connection for payloads. If an administrator creates a scripted Log Source, it must use rfc5424 for Syslog Protocol.
Results
To resolve this issue, use a Log Source that does not open a new connection with every payload. Refer to the forums for help creating scripted or custom Log Sources.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000bljgAAA","label":"ATS-SecIntel Backup->QRadar->Networking"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
28 July 2020
UID
ibm16240910