Troubleshooting
Problem
Managed WinCollect agents are not able to register with QRadar and multiple session for port 8413 are created with CLOSE_WAIT status in the Windows server where the WinCollect agent is installed.
Symptom
- Agent is unable to register with QRadar.
- Multiple connections for port 8413 are created on the Windows server with CLOSE_WAIT status.
Note: You can use the netstat -a command in the Windows cmd to check these connections:
- Errors of SSL Negotiation issue are seen in the QRadar side. In the managed host that is being used as the configuration server the following errors are seen in /var/log/qradar.log:
[INFO] Following message suppressed 149 times in 300000 milliseconds [ERROR] hit an SSL Negotiation issue, most likely tried to connect with an invalid PEM Received fatal alert: certificate_expired
Cause
The issue is being caused by an invalid certificate, either expired or non-existent.
Diagnosing The Problem
The certificate used in the registration process between the managed WinCollect agent and QRadar is named syslog-tls.cert and it is located at /opt/qradar/conf/trusted_certificates/.
Use the following steps to test syslog-tls.cert:
How to test if the certificate exists
- SSH to QRadar as the root user.
- Optional: If you are using as the WinCollect configuration server a different managed host than the console, SSH to that managed host.
- Run the following command to test the connection over port 8413:
If the output shows messages like "no peer certificate available", then the certificate does not exists.openssl s_client -connect 127.0.0.1:8413 -showcerts
Output example when the certificate does not exist:CONNECTED(00000003) 140241623242640:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 289 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated
Result:
The administration is able to test if the certificate exists.
How to test if the certificate has expired
- SSH to QRadar as the root user.
- Optional: If you are using as the WinCollect configuration server a different managed host than the console, SSH to that managed host.
- Run the following command to check the certificate expiration date:
Check the field for Not After, if the date shown on this section is not after your current time, then the certificate is expired.openssl x509 -text -in /opt/qradar/conf/trusted_certificates/syslog-tls.cert | grep -A 2 Validity
Output example:Validity Not Before: Jun 26 17:24:09 2024 GMT Not After : Jun 24 17:24:09 2034 GMT
Result:
The administration is able to test if the certificate expiration date.
Resolving The Problem
In both cases, the certificate is invalid, follow the steps in the Resolving The Problem section of the following link to regenerate the syslog-tls.cert certificate:
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
27 June 2024
UID
ibm17159067