QRadar no listening on 514 port

Question

I install a fresh QRadar community, and have configured a syslog event source.

But QRadar is not listening on the 514 port (no TCP nor UDP)

Do you have any idea ?

Here is the output of netstat:

[root@localhost ~]# netstat -nlp|grep 514
tcp6       0      0 :::1514                 :::*                    LISTEN      24177/syslog-ng
udp6       0      0 :::1514                 :::*                                24177/syslog-ng

Many thanks for your help !

score 3 · Answer 1 · answered Apr 10 '21 at 07:20

I had the same problem with my fresh QRadar CE 7.3.3 installation. Syslog was not listening on port 514 and no other log events were displayed in real-time stream.

In /var/log/qradar.log the following message showed up:

Apr 10 08:48:43 ::ffff:X.X.X.X [masterdaemon.masterdaemon] [Thread-70] com.eventgnosis.ecs: [INFO] [NOT:0000006000][X.X.X.X/- -] [-/- -]Waiting for valid license...

Finally I found this support article on IBM's support pages. After updating the license file as described in the article everything works fine.

Thank you. I had to follow the same steps in Jan 2022 after a fresh install of CE 7.3.3. Some of the license files were there, but not all. — trebor, Jan 11 '22 at 02:43

QRadar no listening on 514 port

1 Answers1