IBM Support

QRadar: "Server port is not specified" error generated by the Event Collector

Troubleshooting


Problem

The 'Server port is not specified' message can indicate that an Event Collector is not attached to an Event Processor. When this issue occurs, tcpdump confirms incoming events on the Event Collector, but the Log Activity tab does not display data from the log sources. Administrators who experience this error message can confirm that the Event Collector is attached to an Event Processor. 

Symptom

In the qradar.log file, a TCP_TO_EP error is displayed related to the 'Server port is not specified'. For example,

[ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.RuntimeException: Error attempting to load Event_Collect.hostname.com:ecs-ec/EC/TCP_TO_EP Error : java.lang.RuntimeException: Server port is not specified
[ecs-ec.ecs-ec] [ECS Runtime Thread] Since there isn't a configuration error handler defined, the original error is wrapped in a new RuntimeException


 

Cause

The most common cause of the error is that a connection is missing between the Event Collector and an Event Processor component. An administrator can confirm that the Event Collector is attached to an Event Processor.

Resolving The Problem

Administrators can verify the connection between the Event Collector and an Event Processor in the user interface.

Procedure
  1. Log in to the QRadar Console user interface as an administrator.
  2. Click the Admin tab.
  3. Click the System and License Management icon.
  4. Select your Event Collector that generated the 'Server port is not specified' error message.
  5. In the Deployment Action drop-down, select Edit Host Connection.
    image-20231214121359-1
  6. Choose an Event Processor for the Event Collector.
    image-20231214121454-2
  7. Click Save.
  8. Click Advanced > Deploy Full Configuration.
    image-20231214122149-3
  9. Confirm to proceed. For more information, see Impact of Deploy Full Configuration on events, flows, and offenses.

    Results
    Wait for the Console to complete the changes. Administrators with root access to QRadar can review the logs to confirm the 'Server port is not specified' error messages no longer display. If you continue to experience the error message or cannot deploy your changes, contact QRadar Support for further assistance. Further troubleshooting on Deploy Changes can be found on QRadar Deploy Changes 101.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS005445550","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 December 2023

UID

ibm16445121