IBM Support

QRadar ECS-EC-Ingress refuses connections due to TCP Syslog



When TCP Syslog connections exceed 2500, ecs-ec-ingress begins to refuse connections.

Diagnosing The Problem

Look for messages in /var/log/qradar.log similar to:
Mar 19 11:48:05 ::ffff: [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog( Protocol Provider Thread: class 
com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: 
[INFO] [NOT:0080004100][ -] [-/- -]TcpSyslog( connection from /

Resolving The Problem

When you initially configure QRadar, the default value for Max Number of TCP Syslog connections is 2500. This is a system-wide variable and will affect all hosts in the QRadar deployment. This value should be raised to accommodate the largest number of TCP Syslog log sources sending data.

Note:  Increasing the Max Number of TCP Syslog Connections might impact performance if raised to high Raise the value only to where it resolves the issue.
  1. Log in to the QRadar UI
  2. Open the Admin settings:  

    1. In IBM Security QRadar V7.3.1, click the navigation menu , and then click Admin to open the Admin tab.

    2. In IBM Security QRadar V7.3.2, 7.3.0 or earlier, click the Admin tab.

  3. Click the System Settings.
  4. Click Advanced
  5. Scroll down to Max Number of TCP Syslog Connections
  6. Increase the value as needed.
  7. Click Save
  8. From the Admin tab, click Advanced > Deploy Full Configuration.
  9. Click Continue to complete the Deploy process.
  10. From the Admin tab, click Advanced > Restart Event Collection Services.

Where do you find more information?

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"ECS-EC_INGRESS","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 March 2019