IBM Support

QRadar: How to check the Microsoft SQL communication and instance ports to QRadar.

Question & Answer


Question

Why is QRadar not receiving events from a Microsoft SQL Server database?

Cause

The Ports configured are not open or not the correct ones. Microsoft SQL Server uses JDBC protocol on port 1433.

Answer

Before you begin: This configuration procedure is for Microsoft SQL Server 2008. The configuration procedure can be different on other versions. Consult your Microsoft SQL Server documentation for more information.

There are two tests to establish that the Microsoft SQL Server Log Source ports are properly configured and open.

Procedure:

To test Microsoft SQL Server ports, follow the steps below:
  1. SSH to the QRadar appliance that connects to the Microsoft SQL Server database.
  2. Use the telnet command to test the connections:
    1. telnet windows.host 1433 
      This is a common SQL Server listener port. If Microsoft SQL Server isn't responding to the telnet command, you will need to confirm the details with the Microsoft SQL Server Administrator.
    2. telnet windows.host 3389
      When the Microsoft SQL server listener didn't respond, test another common port, 3389, which is Terminal Services,
  3. From the Microsoft SQL Server side, to find the TCP Port number where the Microsoft SQL instance is listening, you can follow these steps.
    1. Start > All Programs > Microsoft > Microsoft SQL Server 20XX > Configuration Tools > SQL Server Configuration Manager
    2. Click SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for <Instance Name>
    3. Right Click TCP/IP and select Properties

    4. TCP/IP Properties dialog box, go to IP Addresses tab and scroll down to IP All group.


       
    5. Modify the TCP port to be the one in your configuration.
      Note: Log sources do not support dynamic port allocations. This log source configuration is to update the default port being used by the Microsoft SQL Server.
  4. Verify the port in your Microsoft SQL server Log Source.


    Note: If you change the port in your Microsoft SQL Server Log Source you will need to Deploy Changes from the Admin tab.
Result: QRadar can now listen to the Microsoft SQL Server port.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Gnc2AAC","label":"QRadar->Events"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 April 2020

UID

swg21989765

Page Feedback