Question

I have a TCP syslog handler that connects my application backend to the TCP 514 port of Qradar for data collection and ingestion as events. The data collection scripts runs 24/7 looking for new data and indexed into qradar.

Once during overnight data collection, data collection stops and an exception is generated stating "socket.error [Error 111] connection refused". This exception is thrown in the TCP handler as shown in fig

![alt text][1]

To reproduce the same exception I tried disconnecting the internet connection and adding a proxy firewall but can't reproduce the same. Any idea why such connection is refused. Below is the code where i connect to the TCP port using socket

 class TCPSysLogHandler(logging.handlers.SysLogHandler):
 
   def __init__(self, address,
                facility=None):
     logging.Handler.__init__(self)
 
     self.address = address
     self.facility = facility
     self.unixsocket = 0
     self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     self.socket.connect(address)
 
   def close(self):
     self.socket.close()
     logging.Handler.close(self)

As the data collection loops around, the same exception is logged every time and the connection is not established after that. Any way to re-establish the connection or any viable next steps to resume data collection? [1]: /answers/storage/temp/22296-tcperror.png

Answer 1

Answer by Daniel Zerkle (623) | May 24, 2018 at 08:09 PM

That was trying to connect to the QRadar console syslog port?

The most likely explanation is that QRadar services were restarting at the time, and so the QRadar console wasn't collecting syslog events. This does happen, so make sure that your app can handle these sorts of exceptions gracefully. It should repeatedly sleep for a bit and retry until it succeeds.

0 Show 1 Share

tarang777 (51) May 29, 2018 at 12:58 AM 0

Share

[DZ] That was trying to connect to the QRadar console syslog port?

Yes it connects to syslog port. The address var contains (console address, 514)

I also think that the Qradar might be restarting and that caused the exception. But even after a complete restart, the same exception is logged every 2 sec and no connection got established. So, how do I handle it gracefully, I mean it obviously tries again and again without success?

Criteria	Usage
Questions with keyword1 or keyword2	keyword1 keyword2
Questions with a mandatory word, e.g. keyword2	keyword1 +keyword2
Questions excluding a word, e.g. keyword2	keyword1 -keyword2
Questions with keyword(s) and a specific tag	keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags	keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].

Qradar socket error: Connection Refused

1 reply

Follow this question

Qradar socket error: Connection Refused

1 reply

Follow this question

Related questions