Question & Answer
Question
Why is QRadar not receiving events from a Microsoft SQL Server database?
Cause
The Ports configured are not open or not the correct ones. Microsoft SQL Server uses JDBC protocol on port 1433.
Answer
Before you begin: This configuration procedure is for Microsoft SQL Server 2008. The configuration procedure can be different on other versions. Consult your Microsoft SQL Server documentation for more information.
There are two tests to establish that the Microsoft SQL Server Log Source ports are properly configured and open.
Procedure:
To test Microsoft SQL Server ports, follow the steps below:
There are two tests to establish that the Microsoft SQL Server Log Source ports are properly configured and open.
Procedure:
To test Microsoft SQL Server ports, follow the steps below:
- SSH to the QRadar appliance that connects to the Microsoft SQL Server database.
- Use the telnet command to test the connections:
telnet
windows.host
1433
This is a common SQL Server listener port. If Microsoft SQL Server isn't responding to the telnet command, you will need to confirm the details with the Microsoft SQL Server Administrator.telnet
windows.host
3389
When the Microsoft SQL server listener didn't respond, test another common port, 3389, which is Terminal Services,
- From the Microsoft SQL Server side, to find the TCP Port number where the Microsoft SQL instance is listening, you can follow these steps.
- Start > All Programs > Microsoft > Microsoft SQL Server 20XX > Configuration Tools > SQL Server Configuration Manager
- Click SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for <Instance Name>
- Right Click TCP/IP and select Properties
- TCP/IP Properties dialog box, go to IP Addresses tab and scroll down to IP All group.
- Modify the TCP port to be the one in your configuration.
Note: Log sources do not support dynamic port allocations. This log source configuration is to update the default port being used by the Microsoft SQL Server.
- Verify the port in your Microsoft SQL server Log Source.
Note: If you change the port in your Microsoft SQL Server Log Source you will need to Deploy Changes from the Admin tab.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Gnc2AAC","label":"QRadar->Events"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 April 2020
UID
swg21989765