Gunbird
commented
3 years ago I found out that by default QRadar does not allow more than 10 syslog TCP connections by host (see screen capture below)
Is it possible to implement some kind of limitation on the number of TCP connections created by the script.
What happen for example, is that the script is stopped for a period of time and when we start it again it has to collect all past log files and the script seemes to create one TCP connection by log file.
Of course, if it's too hard, we can still raise the "Max TCP Syslog Connections Per Host" parameter but there would still be a max limit that could be reached by the script when it resumes.
Thanks for your help.
joeymoore
Bug report script Imperva
Hi,
When we run the LogsDownloader.py script in TCP transport mode sending to QRadar appliance, we get the following traceback each time a message is forwarded to the SIEM.
Message: 'LEEF:1.0|Incapsula|SIEMintegration|1.0|Normal|'
Arguments: ()
--- Logging error ---
Traceback (most recent call last):
File "/usr/lib64/python3.6/logging/handlers.py", line 944, in emit
self.socket.sendall(msg)
BrokenPipeError: [Errno 32] Broken pipe
Call stack:
File "/usr/lib64/python3.6/threading.py", line 884, in _bootstrap
self._bootstrap_inner()
File "/usr/lib64/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "/usr/lib64/python3.6/threading.py", line 864, in run
self._target(*self._args, *self._kwargs)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 143, in get_log_files
success = self.handle_file(next_file)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 222, in handle_file
self.handle_log_decrypted_content(logfile, decrypted_file)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 270, in handle_log_decrypted_content
syslogger.info(msg)
Message: 'LEEF:1.0|Incapsula|SIEMintegration|1.0|Normal|'
Arguments: ()
--- Logging error ---
Traceback (most recent call last):
File "/usr/lib64/python3.6/logging/handlers.py", line 944, in emit
self.socket.sendall(msg)
BrokenPipeError: [Errno 32] Broken pipe
Call stack:
File "/usr/lib64/python3.6/threading.py", line 884, in _bootstrap
self._bootstrap_inner()
File "/usr/lib64/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "/usr/lib64/python3.6/threading.py", line 864, in run
self._target( self._args, **self._kwargs)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 143, in get_log_files
success = self.handle_file(next_file)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 222, in handle_file
self.handle_log_decrypted_content(logfile, decrypted_file)
File "incapsula-logs-downloader-master/script/LogsDownloader.py", line 270, in handle_log_decrypted_content
syslogger.info(msg)
It does not happen all the time but it seems it's more frequent when we first start the script and there are multiple log files to download and forward.
The script is setup in forward only, the log file is removed after being sent.
On the QRadar side we get several errors like : Sep 8 15:40:58 127.0.0.1 [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0080004100][10.90.235.33/- -] [-/- -]TcpSyslog(0.0.0.0/514)refused connection from /:42682
This error suggests that too many TCP connections are opened https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/38750061.html
When the script is running I noticed that there are multiple tcp connections opened to the SIEM around 10.
Thanks for your help