I have a TCP syslog handler that connects my application backend to the TCP 514 port of Qradar for data collection and ingestion as events. The data collection scripts runs 24/7 looking for new data and indexed into qradar.
Once during overnight data collection, data collection stops and an exception is generated stating "socket.error [Error 111] connection refused". This exception is thrown in the TCP handler as shown in fig
![alt text][1]
To reproduce the same exception I tried disconnecting the internet connection and adding a proxy firewall but can't reproduce the same. Any idea why such connection is refused. Below is the code where i connect to the TCP port using socket
class TCPSysLogHandler(logging.handlers.SysLogHandler):
def __init__(self, address,
facility=None):
logging.Handler.__init__(self)
self.address = address
self.facility = facility
self.unixsocket = 0
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.connect(address)
def close(self):
self.socket.close()
logging.Handler.close(self)
As the data collection loops around, the same exception is logged every time and the connection is not established after that. Any way to re-establish the connection or any viable next steps to resume data collection? [1]: /answers/storage/temp/22296-tcperror.png
Answer by Daniel Zerkle (623) | May 24, 2018 at 08:09 PM
That was trying to connect to the QRadar console syslog port?
The most likely explanation is that QRadar services were restarting at the time, and so the QRadar console wasn't collecting syslog events. This does happen, so make sure that your app can handle these sorts of exceptions gracefully. It should repeatedly sleep for a bit and retry until it succeeds.
[DZ] That was trying to connect to the QRadar console syslog port?
Yes it connects to syslog port. The address var contains (console address, 514)
I also think that the Qradar might be restarting and that caused the exception. But even after a complete restart, the same exception is logged every 2 sec and no connection got established. So, how do I handle it gracefully, I mean it obviously tries again and again without success?
How to write regular expression for nested JSON event in the event payload in Log Activity? 2 Answers
Trigger Qradar Offense when email is received 1 Answer
Error while adding set of IPs to a reference list 2 Answers
Help required in searching the actual source IP where i have the source as DNS server IP 0 Answers