Troubleshooting
Problem
To meet your organization's compliance standards, you might want to disable port 8413 from listening, which is a port opened by WinCollect. Some systems listen on port 8413 even if WinCollect is not being used. Managed WinCollect is the only setup that uses port 8413, so if your system does not use it, you can disable the port. Some organizations wish to further harden their systems by blocking non-used ports such as this one. Use the following procedure to disable this port.
Diagnosing The Problem
You can verify whether your console or managed host is listening on port 8413 simply by running the following command in the CLI:
netstat -nap | grep :8413
If port 8413 is open and listening, you will see an output message similar to the following:
tcp6 0 0 :::8413 :::* LISTEN 24991/java
Resolving The Problem
Note: As an administrator, you must have root access to QRadar to complete this procedure. WinCollect V7.2.9 or greater is required. If your entire QRadar deployment is at WinCollect V7.2.9 or later, you can disable port 8413 in the Configuration Server to prevent scan reports from displaying QRadar as vulnerable.
Procedure
- Use SSH to log in to the Console as the root user.
- Navigate to the following directory:
/opt/qradar/conf/templates/configservices/pluggablesources/
Tip: Create a backup of the WinCollect configuration file before you make any changes. - To create a backup of the WinCollectConfigServer.vm file, type the following command:
cp /opt/qradar/conf/templates/configservices/pluggablesources/WinCollectConfigServer.vm /root/WinCollectConfigServer_old.vm
- To edit this file, type the following command:
vim WinCollectConfigServer.vm
- Find the parameter roughly halfway through the file that references "Enabled", which will have a value of "True". You will need to change this value to "False". So the line will change from: <parameter type="Enabled">true</parameter> to <parameter type="Enabled">false</parameter>
Important: Administrators must only change the Cipher Suite values in the .vm file. Any other changes made to WinCollectConfigServer.vm can cause unrecoverable errors. - Save the WinCollectConfigServer.vm file.
- Log in to QRadar as an admin user.
WARNING: Completing a Deploy Full Configuration restarts services on all managed hosts in the deployment. You should complete full deploys during maintenance windows or be aware that event and flow collection is temporarily interrupted while services are restarting. Event and flow data might show a temporary gap in graph data while services restart. - Click the Admin tab.
- Select Advanced > Deploy Full Configuration.
- When prompted, click Continue.
After the full deployment is complete, the deployment should be updated and port 8413 should no longer be listening on the hosts the file was modified on.
Related Information
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
12 April 2021
UID
ibm16442121