IBM Support

QRadar: TcpSyslog(0.0.0.0/514) read failed, connection reset from 'xxx.xxx.xxx.xxx' is displayed in qradar.log

Question & Answer


Question

Why does qradar.log display TcpSyslog(0.0.0.0/514) read failed, connection reset from 'xxx.xxx.xxx.xxx' message?

Cause

This message is generated when a source device stops sending events to QRadar, but the source device does not send a valid closure FIN flag signal. QRadar closes the connection and writes the following message to the qradar.log file.
[TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0000006000][xxx.xxx.xxx.xxx/- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection reset from <EXTERNAL_IP>
Note: EXTERNAL_IP is the IP address of the Source device.
 
A tcpdump can be run on port 514 against the source device that is mentioned in the error message. Administrators can verify that there is no FIN Flags sent from the source device.

Answer

These messages are benign and not an issue related to QRadar. Administrators must direct their questions to either their network team, or the source device support team. To understand why the source device does not send a proper disconnect signal to QRadar.
The sending device continues to forward logs to QRadar and a new connection to the Event Processor server is established every time.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS010380729","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
19 June 2023

UID

ibm17002423