IBM Support

QRadar: If a port scan reveals open ports which are no longer used for event collection, how to fix the issue

Troubleshooting


Problem

If you run a port scan on a QRadar host, and the port scan reveals that there are unused ports open, this article suggests what to do.

Cause

When you change the listening port on certain log sources types, such as UDP multiline or TLS Syslog, the original port sometimes doesn't close, leaving an orphaned port open. This rare issue is more likely to happen on a deployment where you have a Console and an event collecting appliance (EC/EP), than on an All-in-One (AIO) appliance.
Reasons are:
  • Every configuration change needs to be replicated from the Console to the event collector, and this interval is one minute. On an AIO appliance, any changes are almost instant.
  • The connection between the Console and the event collector might be disrupted and the replication of information didn't complete.
  • Ecs-ec-ingress service might be interrupted.

Diagnosing The Problem

Steps:
  1. Log in on your QRadar Console UI.
  2. Open the Admin tab > Log Sources Management (LSM app).
  3. Find your log source and open it. In this example, we are using TLS Syslog protocol.
  4. Check your current port configuration on the Protocol tab:
    image-20230119132929-1
  5. Use netstat or ss to check which ports are currently listening. This example checks 6514, 6515, and 6516:
    ss -nap | egrep "6514|6515|6516"
    

    Result
    Take note of the process ID (pid) value. There might be more than two ports that use the same process ID. This usually implies that the ports are associated with the same log source. The ID in this example output is 28330:
    tcp    LISTEN     0      50     [::]:6515               [::]:*                   users:(("java",pid=28330,fd=618))
    tcp    LISTEN     0      50     [::]:6516               [::]:*                   users:(("java",pid=28330,fd=631))
    

Resolving The Problem

We suggest that you open a QRadar support case for this issue, including a description of the issue and outputs from the netstat or ss commands used in this article. The support case allows IBM to learn the cause of the issue and prevent it from occurring. A quick workaround does exist.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
23 January 2023

UID

ibm16855657