Troubleshooting
Problem
An issue related to the HTTP Receiver protocol in the auto update for 17 June 2022 requires administrators to restart the Event Collection Service (ecs-ec-ingress). This technical note is intended to advise administrators with log sources that use the HTTP Receiver protocol to restart services in order to load the code changes in the protocol update. A service restart is only required for administrators with log sources that use the HTTP Receiver protocol on QRadar 7.4 and 7.5 versions.
Symptom
The log source can truncate or set HTTP Receiver log sources to an error state when the HTTP Receiver protocol receives incoming HTTP Posts transmits with fewer bytes than specified in the 'Content-Length' header. When a log source enters an error status, the administrator needs to disable, then enable the log source. The auto update contains a new version of the HTTP Receiver protocol, but event collection services must be restarted to load the changes.
Environment
QRadar Consoles with log sources that use the HTTP Receiver protocol must complete an event collection service restart to resolve the reported HTTP Receiver log sources issues.
The following protocol versions added to IBM Fix Central on 17 June 2022:
The following protocol versions added to IBM Fix Central on 17 June 2022:
- PROTOCOL-HTTPReceiver-7.4-20220610135542.noarch.rpm
- PROTOCOL-HTTPReceiver-7.5-20220610135831.noarch.rpm
Resolving The Problem
To correct this issue, administrators must restart the Event Collection Service (ecs-ec-ingress). An ecs-ec-ingress restart temporarily halts event collection, which can lead to new events not being received while services restart. The service typically restarts within 10 seconds. Administrators with change control processes might require a maintenance window to restart services.
Procedure
The steps outlined in this procedure can be completed from the user interface by QRadar SIEM and QRadar on Cloud administrators.
Procedure
The steps outlined in this procedure can be completed from the user interface by QRadar SIEM and QRadar on Cloud administrators.
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click Advanced > Deploy Full Configuration.
- Click OK to proceed with the deploy.
- Wait for the deploy to complete.
- Click Advanced > Restart Event Collect Services.
Note: Restarting event collection from the user interface is a global function and restart ecs-ec-ingress services on all appliances in the deployment. Event collection is briefly interrupted while the service restarts. It is possible for QRadar SIEM administrators to restart event collection on the local appliance receiving HTTP Post events from the command line: systemctl restart ecs-ec-ingress. - Click OK to restart services.
Results
After the event collection service is restarted, HTTP Receiver protocol updates are loaded and the reported issue is resolved. If you continue to experience issues with truncated payloads or disabled log sources for the HTTP Receiver protocol after restart services, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 June 2022
UID
ibm16596091