Troubleshooting
Problem
QRadar displaying notification "connections were dropped by the event pipeline".
Symptom
A notification in the web user interface will display:
[ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class
com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.
tcpsyslog.TcpSyslogProvider: [WARN] [NOT:0000004000][{HOST}/- -] [-/- -]connectionsPerHost[10]
maximum [10] reached for host [/{LOG SOURCE IDENTIFIER}] ... dropping connection
Cause
The setting is to protect the system from being over loaded.
Resolving The Problem
- Log in to the QRadar Console as admin user.
- Click the Admin tab > System Settings > Advanced View
- Navigate to Max TCP Syslog Connections Per Host.
- Update the connections from 10 to 20.
Note: You can make this value higher as needed.
Important:
Deploy Full Configuration or the Collection service results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. - Click the Admin tab > Advanced > Deploy Full Configuration.
- Click the Admin tab > Advanced > Restart Collection Services.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS005057505","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2"}]
Was this topic helpful?
Document Information
Modified date:
03 March 2021
UID
ibm16417037