Troubleshooting
Problem
QRadar displays notification "connections were dropped by the event pipeline".
Symptom
A notification in the web user interface is displayed:
[ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class
com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.
tcpsyslog.TcpSyslogProvider: [WARN] [NOT:0000004000][{HOST}/- -] [-/- -]connectionsPerHost[10]
maximum [10] reached for host [/{LOG SOURCE IDENTIFIER}] ... dropping connection
Cause
The setting is to protect the system from being overloaded.
Resolving The Problem
There are two possible options to resolve this issue.
Shorten the timeout Period
- Log in to the QRadar Console as an admin user.
- Click the Admin tab > System Settings > Advanced View
- Find Timeout for Idle TCP Syslog Connections(seconds) =900
- Update the connections from 900 to 300
Note: 900 is the default setting, which is equivalent to 15 minutes
Important:
Deploy Full Configuration or the Restart Event Collection Service results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. - Click the Admin tab > Advanced > Deploy Full Configuration.
- Click the Admin tab > Advanced > Restart Collection Services.
Update the Max Connections Per Host.
- Log in to the QRadar Console as an admin user.
- Click the Admin tab > System Settings > Advanced View
- Navigate to Max TCP Syslog Connections Per Host.
- Update the connections from 10 to 20.
Note: You can make this value higher as needed. - Click the Admin tab > Advanced > Deploy Full Configuration.
- Click the Admin tab > Advanced > Restart Collection Services.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS005057505","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
03 October 2024
UID
ibm16417037