IBM Support

QRadar: How can I increase my maximum TCP Syslog connections?

Question & Answer


Question

I am getting errors about maximum connections reached, is there a way to increase that limit?

Cause

By default, QRadar allows for 2,500 TCP Syslog connections total, and 10 per host. If more than 2,500 connections are attempted, messages similar to the following are logged in /var/log/qradar.error:
Mar 19 11:48:05 ::ffff:192.168.1.2 [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class 
com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: 
[INFO] [NOT:0080004100][192.168.1.2/- -] [-/- -]TcpSyslog(0.0.0.0/514)refused
If lots of events are sent through a single host, it can attempt to use more than 10 connections at once. If more than 10 connections per host are attempted, similar messages can be seen in /var/log/qradar.error
  
[ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [WARN] [NOT:0000004000][10.10.10.20/- -] [-/- -]connectionsPerHost[10] maximum [10] reached for host [IP ADDRESS] ... dropping connection

Answer

Yes, it is possible to increase both the maximum number of TCP syslog connections limit and the maximum TCP syslog connections per host.
Note:  If raised too high, increasing the Max Number of TCP Syslog Connections might impact performance, and cause Ecs-Ec-Ingress to go out of memory Raise the value only to where it resolves the issue.
Important: If you are a QRadar on Cloud administrator, you must provide the new values for maximum number of TCP syslog connections limit and the maximum TCP syslog connections per host in a QRadar Support case.
To raise the limit for the Max Number of TCP Syslog Connections:
  1. Log in to the QRadar UI

  2. Open the Admin settings:   

    • In IBM Security QRadar V7.3.1 or earlier, click the navigation menu , and then click Admin to open the Admin tab.

    • In IBM Security QRadar V7.3.2 or later, click the Admin tab.

  3. Click System Settings.
    image-20190321202813-1
  4. Click Advanced
  5. Scroll down to Max Number of TCP Syslog Connections
    image-20190321200923-1
  6. Increase the value as needed.
  7. Click Save
  8. From the Admin tab, click Advanced > Deploy Full Configuration.
  9. Click Continue to complete the Deploy process.
  10. From the Admin tab, click Advanced > Restart Event Collection Services
To raise the limit for the Max Number of TCP Syslog Connections per host:
  1. Open the Admin Settings
  2. Open System Settings
  3. Scroll down to Max Number of TCP Syslog Connections Per Host
  4. Increase the value as needed (but do not exceed the maximum TCP Syslog Connections)
  5. Click Save
  6. From the Admin tab, click Advanced > Deploy Full Configuration.
  7. Click Continue to complete the Deploy process.
  8. From the Admin tab, click Advanced > Restart Event Collection Services.
Other than ecs-ec-ingress crashing with an out of memory error, the following problem can occur:

The WinCollect agent stops after increasing the maximum TCP connections or the maximum TCP connections per host.

After updating the maximum TCP syslog connections or the maximum TCP connections per host, the WinCollect agent stops sending events. When this occurs, similar messages can be seen in /var/log/qradar.error:

[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35]
com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler: 
[ERROR] [NOT:0000003000][192.168.x.x/- -] [-/- -]Encountered a problem in WinCollectConfigSocket Thread
May  6 05:15:37 ::ffff:192.168.x.x [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] 
java.net.SocketTimeoutException: Read timed out


To resolve this issue

  1. Log in to the WinCollect host not sending events as an admin user.
  2. Open the Services app.
  3. Scroll to the WinCollect service.
  4. Click restart.
Results
The WinCollect agent starts and the host sends events.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 September 2023

UID

ibm17002479

Page Feedback