IBM Support

QRadar: ECS-EC-Ingress refuses connections due to TCP Syslog

Troubleshooting


Problem

When TCP Syslog connections exceed 2500, ecs-ec-ingress refuses new connections.

Diagnosing The Problem

Look for messages in /var/log/qradar.log similar to:
 
Mar 19 11:48:05 ::ffff:xxx.xxx.xxx.xxx [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class 
com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: 
[INFO] [NOT:0080004100][xxx.xxx.xxx.xxx/- -] [-/- -]TcpSyslog(0.0.0.0/514)refused connection from /xxx.xxx.xxx.xxx:53422

Resolving The Problem

When you initially configure QRadar, the default value for Max Number of TCP Syslog Connections is 2500. Max Number of TCP Syslog Connections is a system-wide variable and affects all hosts in the QRadar deployment. This value can be raised to accommodate the largest number of TCP Syslog log sources sending data.

Note:  Increasing the Max Number of TCP Syslog Connections might impact performance if raised to high Raise the value only to where it resolves the issue.
  1. Log in to the QRadar UI as an Administrator.

  2. Click the Admin Tab.

  3. Click the System Settings.
    image-20190321202813-1

  4. Click Advanced.
  5. Scroll down to Max Number of TCP Syslog Connections.
    image-20190321200923-1
  6. Increase the value as needed.
  7. Click Save.
  8. From the Admin tab, click Advanced > Deploy Full Configuration.
  9. Click Continue to complete the Deploy process.
  10. From the Admin tab, click Advanced > Restart Event Collection Services.
Performing a Deploy Full Configuration or Restart Event Collection Services results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete these next step during a scheduled maintenance window for their organization.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
05 July 2023

UID

ibm10876690

Page Feedback