IBM Support

QRadar: Why Are Many QRadar Sockets On Port 32006 In TIME_WAIT Status

Question & Answer


Why are many QRadar network sockets on port 32006 In TIME_WAIT status?


Console opens many sockets on port 32006 and they are in TIME_WAIT status. These open sockets can be waiting on localhost, Event Processors, Flow Processors, or Data Nodes that are not using encrypted connections.


For both user and backend process searches, QRadar leaves these connections in a TIME_WAIT status even though the data returned might be completed. Any host that has an encrypted connection do not show this symptom. TIME_WAIT sockets are working as designed.
The following command shows all connections on port 32006:
netstat -nalp | grep 32006
The sockets in TIME_WAIT status get cleaned up after they hit the timeout defined in the following files:
Recommendation is to leave the timeout setting as is so your system is more baseline with what developers expect in the field.

Related Information

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.3;7.5.0"}]

Document Information

Modified date:
05 August 2022