Troubleshooting
Problem
QRadar 7.5.0 UP4 introduced an issue with encrypted app hosts. Some 3rd-party applications require the apps to have access to port 514.
Symptom
ERROR - Error while initiating socket connection with IBM QRadar. Error = [Errno 111] Connection refused
Cause
Encrypted App Host appliances can forward events on UDP 514, but not TCP 514. The connection refused error is related to a known issue reported for QRadar 7.5.0 Update Package 4 and later. For more information, see APAR IJ48734.
Environment
This issue can affect App Host appliances at QRadar 7.5.0 Update Package 4 or later where the App Host is encrypted in the QRadar deployment.
Resolving The Problem
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the App Host appliance.
- To list the container service that is associated with this app, type:
conman-support files | grep "Config"
workload-1 > service-1 > container-2 > Config File /etc/conman/container@13914585114304387943
workload-1 > service-2 > container-1 > Config File /etc/conman/container@9953215177473737413
workload-1 > service-1 > container-1 > Config File /etc/conman/container@6056357066557133228
workload-1 > service-2 > container-2 > Config File /etc/conman/container@16006986521494132150
For example, the following image displays what administrators see in the command line for the application.
- Review the output and confirm the app id of the app that forwards events to the QRadar Console.
- To edit the container file, type:
vi /etc/conman/container@{container_id}
vi /etc/conman/container@6056357066557133228
- Update the value of the ENV_QRADAR_CONSOLE_IP to use the Console IP address.
- Before: ENV_QRADAR_CONSOLE_IP = 169.254.3.1
- After: ENV_QRADAR_CONSOLE_IP = <Console_IP>
For example,VOL_0=/opt/app-root/store ENV_QRADAR_CONSOLE_IP=<CONSOLE_IP> ENV_QRADAR_CONSOLE_HOSTNAME=examplehostname ENV_QRADAR_APP_RUNNING_ON_APPHOST=true
Note: Do not change any other values for the app container configuration.
- Save your change to the configuration file.
- To stop and start the container, type the following commands:
systemctl stop container@{container_id} systemctl start container@{container_id}
Where {container_id} matches the container that needs to send events to the QRadar Console. For example,Resultssystemctl stop container@6056357066557133228 systemctl start container@6056357066557133228
After the container restarts, confirm that the events are received by QRadar. Administrators can use the Log Activity tab to confirm events are received or use tcpdump to verify the events are sent to QRadar. For more information, see QRadar: Using the command line to troubleshoot a Syslog event source. If you continue to experience issues, confirm you updated the correct app container or that the IP address added to the container is correct.
Note: This workaround will not survive an app restart. If the app is restarted, the container config file is recreated and the {{ENV_QRADAR_CONSOLE_IP= }} is reset back to the docker apps interface IP. These steps will have to be reapplied after an app, container or docker restart.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"TS013294871","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 February 2024
UID
ibm17004121