IBM Support

QRadar connections were dropped by the event pipeline



QRadar displaying notification "connections were dropped by the event pipeline".


A notification in the web user interface will display:
[ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog( Protocol Provider Thread: class
 com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.
tcpsyslog.TcpSyslogProvider: [WARN] [NOT:0000004000][{HOST}/- -] [-/- -]connectionsPerHost[10] 
maximum [10] reached for host [/{LOG SOURCE IDENTIFIER}] ... dropping connection


The setting is to protect the system from being over loaded.

Resolving The Problem

  1. Log in to the QRadar Console as admin user.
  2. Click the Admin tab > System Settings > Advanced View
  3. Navigate to Max TCP Syslog Connections Per Host.
  4. Update the connections from 10 to 20.
    Note: You can make this value higher as needed.

    Deploy Full Configuration or the Collection service results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
  5. Click the Admin tab > Advanced > Deploy Full Configuration.
  6. Click the Admin tab > Advanced > Restart Collection Services.

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS005057505","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2"}]

Document Information

Modified date:
03 March 2021