IBM Support

QRadar: Events from Event Collectors are not displayed in the Log Activity due to missing connection

Troubleshooting


Problem

Administrators might find that events received successfully by an Event Collector (EC) do not display in the Log Activity tab despite the host is reachable and when a Deploy Changes completes. If the Event Collector cannot open a server port to the Event Processor in the next stage of the event pipeline, events buffer on the Event Collector while it waits for a server port. If you do not see events that are received by the Event Collector when you search from the Console, you can confirm if the following error occurred: java.lang.RuntimeException: Server port is not specified.

Symptom

The following are common symptoms when the issue occurs:
  1. The events no longer display in the Log Activity tab for events received by an Event Collector.
  2. The Event Collector's persistent queue keeps growing as the received events are stored temporarily in there. This condition triggers a disk space alert for the Event Collector's /store partition when it passes the warning threshold.
    Note: When no action is done by the administrator, the /store partition grows up until it reaches the 95% and critical services are stopped. 
    # du -ch /store/persistent_queue/
325G    /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress
4.0K     /store/persistent_queue/ecs-ec.ecs-ec
  3. In /var/log/qradar.log on the Event Collector appliance, the following error is displayed: 
    [ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.RuntimeException: Error attempting to load {Event Collector Hostname}/
EC/TCP_TO_EP  Error : java.lang.RuntimeException: Server port is not specified
-- Output Snipped --
[ecs-ec.ecs-ec] [ECS Runtime Thread] Caused by: java.lang.RuntimeException: Server port is not specified
    Note: To quickly locate the error message, type: tail -f /var/log/qradar.log | grep 'TCP_TO_EP'

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
30 June 2022

UID

ibm16598661

Page Feedback