Troubleshooting
Problem
When a user opens the Log Activity tab, no real-time events are displayed, and the next error is displayed in the /var/log/qradar.error file:
[ecs-ep.ecs-ep] [Streamer (NormalizedEvent)] com.q1labs.core.shared.ariel.streaming.RecordStreamer(NormalizedEvent): [WARN] Unable to connect to server localhost:7800
Cause
This problem occurs when the ecs-ep service does not communicate correctly with the Apache Tomcat streamer.
Resolving The Problem
- SSH into the QRadar Console as the root user.
- Restart the ecs-ep and ariel_proxy_server services in the QRadar console with the next commands.
Note: The restart of these services affects other functionalities such as correlations, searches, offenses creation, and other functionalities. See QRadar: Core services and the impact of restarting services.
systemctl restart ecs-ep systemctl restart ariel_proxy_server - To confirm the services are working after the restart, you can use the next commands:
systemctl status ecs-ep systemctl status ariel_proxy_server - Once the services are restarted, wait at least 2 minutes.
- Go to the Log Activity in the Console and verify the real-time events coming into the Console again.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS005204391","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 April 2022
UID
ibm16539926