IBM Support

QRadar: All Log Sources are in Error that for individual Event Collector or Flow Collector.

Troubleshooting


Problem

At times, it stops receiving the events from Managed Hosts, either from the individual target Event Collector or from the individual target Flow Collector. The events from all log sources that report to the respective Event Collector or Flow Collectors do not receive any data.

Symptom

All Log sources reported to the individual Event Collector or Flow Collector are in an error state, and the "last event time" is not updated. 
 

Cause

There could be the following causes. 
 
  • The Event Collector or Flows Collector is not receiving events or flows properly.
  • Services on the Managed Host are not working properly.
  • The Event Collector or Flow Collector connection is not properly set towards the respective Event Processor or Flow Processor.

Diagnosing The Problem

The errors on the Managed Hosts are as follows:
Oct 19 17:38:14 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [ECS Runtime Thread] com.eventgnosis.ecs: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error attempting to load XXXXXXX.XXX.XXX:ecs-ec/EC/TCP_TO_EP  Error : java.lang.RuntimeException: Server port is not specified
Oct 19 17:38:14 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.RuntimeException: Error attempting to load XXXXXXXXXX.XXX.XXX:ecs-ec/EC/TCP_TO_EP  Error : java.lang.RuntimeException: Server port is not specified
Check the deployment diagram:
  1. Log in to the QRadar UI.
  2. Click System and License Management.
  3. Click View Deployment

    View Deployment
  4. Check for the connection, It does not exist; which means the connection is not created.

    connection

Resolving The Problem

If the connection between the Managed Host and the QRadar Console is broken, We must alter the Event or Flow collector connection.
  1. Log in to the IBM QRadar console UI.
  2. Click System and License Management.
  3. Click an Event Collector or Qflow to highlight the Appliance.
  4. Click Deployment Actions > Edit Host Connection.

    Edit Host connection
  5. If the Appliance is an Event Collector:
    From the "Modify Event Collector Appliance Connection" drop-down menu, choose the Appliance that you want to connect to.

    Select Console
    Note: The Appliance with the Asterisk * is the Processor with the current Destination Connection.
  6. Click Save.
  7. From the Admin tab, click Deploy Changes.
Results: Events or Flows will start to show up on the Log activity or Network activity page after the connection is changed.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
11 December 2023

UID

ibm17080016

Page Feedback