Troubleshooting

Here, we have explained the detailed troubleshooting steps for your issues and errors.

If any error (for example, socket connection on the port xxxx configured for FIM log sources is refused) is displayed on the application log or in-app configuration under the Advanced tab > Last Failure.

Perform the following steps to resolve the problem:

  1. Disable all the data inputs from the application configuration, then:
  2. Admin > Advanced drop-down > Deploy Full Configuration
  3. Admin > Advanced drop-down > Restart Event Collection Service
  4. Enable the required data inputs

 Wait for the Event Collection Service to restart before enabling the FIM job.

Last Failure Troubleshooting

If a Log Source error occurs.

If the Log source shows this message, This log source uses an undocumented protocol. IBM Support cannot troubleshoot problems with receiving event data. Events received by an undocumented protocol may be in a format unrecognized by the DSM. Use the DSM Editor to resolve any parsing issues.  Refer to these links from IBM:

https://www.ibm.com/docs/en/dsm?topic=configuration-undocumented-protocols

https://www.ibm.com/docs/en/qradar-common?topic=app-undocumented-protocols

If you get errors for AQL.

If you get N/A for any field value, the payload with these fields shows the data, and if the fields are not present, it shows N/A. QRadar provides N/A if the field is not available in the payload.

If you get this error in the Activity Log tab, Field '<field name>' does not exist in catalog 'events. Manually type the field name to get the exact match for that value.

If you get [Errno 111], Connection refused error.

The following error messages are displayed for different cases:

ERROR: Socket connection on port 12400 configured for 'QualysFimMultiline' log source is declined, 'Deploy Full Configuration.' Error while connecting to socket: [Errno 111] Connection refused. This error occurs when the Listen port is not LISTENING. It would be best to deploy the full configuration on the QRadar box to resolve this issue.

Verify the following points:

https://www.ibm.com/support/pages/node/6395080 is performed or not

This can be verified as > if the license is patched, the user can see Live Events under Log Activity; otherwise, no events are visible.

Verify that the user performed the 'Deploy Changes' after the application installation.

This is the last step that QRadar Admin could authorize> Do 'Full Deployment'

If the above steps do not work for a user, they should contact Qualys Support.

If the user is not able to pull data with a proxy.

If the user cannot pull the data with HTTP proxy, not HTTPS proxy, and vice versa, check with your networking team and the team responsible for providing the QRadar host machine.

If the user is not able to pull data without a proxy.

If the user cannot pull the data without a proxy, check with your networking team and the team responsible for providing the QRadar host machine.

If the Token returned is Null.

The process terminates if the user observes that the ETL says, Received auth token from API Gateway Server. It means the Token returned is None. Run the curl to verify the same in the app container from the/opt/app-root/app directory.

  • If the proxy is not needed, remove the --proxy option and proxy:

    curl --location --request POST '<gateway api>/auth' --proxy '<proxy>' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<POD username>' --data-urlencode 'password=<POD password>' --data-urlencode 'token=true'

  • If the JWT token is not returned, check with your networking team or the team responsible for providing the QRadar host machine for proxy or firewall-related issues.
  • If the JWT token is returned, contact Qualys support.

If widgets are taking time to load or display data.

Try loading each widget separately. After selecting a date range, the widgets might take time to fetch the data; hence, try to refresh each widget individually.

Related Topic

Appendix

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.