Troubleshooting
Problem
Wincollect agent is unable to communicate with the configuration server on port 8413 due to which configuration updates are not pushed from the configuration server to the Wincollect agent. This issue does not affect event collection by that agent.
Symptom
Errors in wincollect.log:
12-11 13:49:20.398 INFO SRV.Code.CertificateManager.X.X.X.X : Attempting to retrieve the certificate from the configuration server
12-11 13:49:20.539 ERROR SRV.Code.CertificateManager.X.X.X.X : Cannot connect to configuration server (336032784)
12-11 13:49:20.539 WARN SRV.System.WinCollectSvc.Service : Register with configuration server failed -- The certificate presented by the configuration server was either missing or its chain was not validated/trusted -- will try again later
Errors in qradar.log of the Configuration server:
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -] hit an SSL Negotiation issue, most likely tried to connect with an invalid PEM
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] javax.net.ssl.SSLHandshakeException: no cipher suites in common
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.g.a(g.java:38)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.g.a(g.java:16)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bb.a(bb.java:222)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bb.a(bb.java:22)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bb.a(bb.java:88)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.a2$d.a(a2$d.java:43)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.a2$d.produce(a2$d.java:75)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.p.produce(p.java:63)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.G$e.a(G$e.java:73)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.G$b.a(G$b.java:2)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.G$b.consume(G$b.java:15)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.p.consume(p.java:56)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.aa.a(aa.java:142)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.aa.a(aa.java:146)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bb.a(bb.java:112)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.a0.a(a0.java:8)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bj.b(bj.java:451)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bj.f(bj.java:182)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bj.a(bj.java:508)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.ibm.jsse2.bj.startHandshake(bj.java:60)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler.run(WinCollectConfigHandler.java:83)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Dec 11 13:49:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_7] at java.lang.Thread.run(Thread.java:830)
Cause
This error relates to either a missing or an incorrect certificate, which is used for secure communication between the Windows Server and the QRadar appliance.
Environment
All
Diagnosing The Problem
Verify the certificate returned by the configuration server on port 8413 using the following command:
openssl s_client -connect 127.0.0.1:8413 -showcerts
The expected certificate is a self-signed ‘SyslogTLS_Server’ certificate (sample output as follows):
[root@hostname ~]# openssl s_client -connect 127.0.0.1:8413 -showcerts
CONNECTED(00000003)
depth=0 CN = *, O = SyslogTLS_Server
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = *, O = SyslogTLS_Server
verify return:1
---
Certificate chain
0 s:/CN=*/O=SyslogTLS_Server
i:/CN=*/O=SyslogTLS_Server
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIJANN2oT3wnSwJMA0GCSqGSIb3DQEBDQUAMCcxCjAIBgNV
BAMMASoxGTAXBgNVBAoMEFN5c2xvZ1RMU19TZXJ2ZXIwHhcNMjMxMTMwMTM0NTQy
WhcNMzMxMTI3MTM0NTQyWjAnMQowCAYDVQQDDAEqMRkwFwYDVQQKDBBTeXNsb2dU
TFNfU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqXWlKxJA
GsIWBcfrNJDrSX321ADAF1KRgFmZ4/j2cD5bVzBcpv27KgqHtaVLdXDklzGAT3hz
t1KgMf/pDU5KmpyLZKNbeTiZV24QVfjJoT28DzxxWzXK+vq6u3xV4GPx9+CqCPVJ
z4Ge175uBySpl8n/fvKsBGBBcHaxY/Y/4z15i61pN/5rgxZwAEhN5PWM6kTumzdJ
V15dZcNXYMcMh7O0DEajhL5yruqGzdkfhWD0v3r+nCNr7/ovpcuBwROxpbDQYuhK
nvUu1Z0wQKRkuX+75VcXBDmkv8+mY+Sd9dC29xJR879KWsMWU8KYf6yeJuBEHL7f
E8YrMdHGQb0jFQIDAQABo1AwTjAdBgNVHQ4EFgQUc0CENg4MNDqgvfortmtdNQPO
jq0wHwYDVR0jBBgwFoAUc0CENg4MNDqgvfortmtdNQPOjq0wDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAQEAV2eFJ9YqoNqsS0gFp8HdsZQR/uRsQgHWBQIa
YXjM6WHVASWLEcT/wYSvo0y+qCxLo/ISabjHSrpQFChv9kCFjF/AnVCO05IgNQ+G
DtUp5QMKApc+5US/iQmz6OG6lavtRGxtEr9Vg2j0x5cHgqXSqzCGrITqcr7I279O
9Kmdi354hgW0BoSkisOdjSzFJceH9zRIyjJN4lYVujh9XxtivZM8c6MUvDnpfQKv
yjM9k5YbgJipi1QnhzqzpX7k3YunA5aysst7tgknRHeVuCl/WHdidrPG/2LvEy6m
oNOo0SykF4TKbMSi0YbBlFDI1/Pd7iLROEuNlIyN3SsPVqj3iQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*/O=SyslogTLS_Server
issuer=/CN=*/O=SyslogTLS_Server
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1304 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 399682E087B5A39F3D9F7D29F63D268109B783CDEE79F43F09E4547E89D085AE
Session-ID-ctx:
Master-Key: 4FBD578CBA762AAE1C7CB028ACDB39E04B8B372F07ED202BF47117182DF18A87D2EE73A188309CD56D17E39BDBBD9420
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1702542293
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Sample output that shows no certificate being presented on port 8413 and can cause the communication error to occur:
[root@hostname ~]# openssl s_client -connect 127.0.0.1:8413 -showcerts
CONNECTED(00000003)
140241623242640:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1702542953
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Resolving The Problem
To resolve the issue, follow these steps:
1. Reset the TLSSyslog keystore by performing given steps on the configuration server:
Remove the old keystore files:
rm -v /opt/qradar/conf/syslog-tls.keystore
rm -v /opt/qradar/conf/trusted_certificates/syslog-tls.*
Restart the ecs-ec-ingress service:
systemctl restart ecs-ec-ingress
Results: QRadar re-creates the keystore, imports certificates from /opt/qradar/con/trusted-certificates/, and generates the default TLSSyslog certificate. The process of creating the keystore can take a little while. You can monitor the recreation with this command:
watch "ls -ls /opt/qradar/conf/syslog-tls.keystore"
Verify the new certificate:
openssl s_client -connect 127.0.0.1:8413 -showcerts | less
2. Replace the ConfigurationServer.PEM file on a WinCollect agent to pull the new certificate.
Steps:
Steps:
-
Log in to the Windows host with WinCollect installed.
- Stop the WinCollect service.
- Navigate to C:\Program Files\IBM\WinCollect\config.
- Locate the ConfigurationServer.PEM file.
- Rename this file to ConfigurationServer.old.
- Start the WinCollect service.
- Watch the C:\Program Files\IBM\WinCollect\config directory as the QRadar appliance will issue a new ConfigurationServer.PEM file to the agent.
If these troubleshooting steps do not resolve your issue, contact IBM QRadar support.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS014735093","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 December 2023
UID
ibm17096703