Академический Документы
Профессиональный Документы
Культура Документы
Note: Before using this information and the product that it supports, read the information in Notices and
Trademarks on page 11.
Copyright IBM Corp. 2012, 2013 All Rights Reserved US Government Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
CONTENTS
1
This technical note provides a list of common ports used by QRadar SIEM,
services, and components. The information provided in this document contains the
assigned port number, descriptions, protocols, and the signaling direction for the
port.
Unless otherwise noted, all references to QRadar SIEM refer to QRadar SIEM,
IBM Security QRadar Log Manager, and IBM Security QRadar Network Anomaly
Detection.
This document includes the following topics:
QRadar SIEM
Common Ports
The following table provides the listening ports for QRadar SIEM. The ports listed
in this table are valid only when iptables is enabled on your QRadar SIEM system.
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components
Port
Description
Protocol
Direction
Required for
22
SSH
TCP
Remote management
access
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components (continued)
Port
Description
Protocol
Direction
Required for
25
SMTP
TCP
37
80
111
Rdate (time)
Apache/https
Port mapper
135 and
DCOM
dynamically
allocated ports
above 1024
for RPC calls.
UDP/TCP
TCP
TCP/UDP
TCP
Communication and
downloads from the QRadar
Console to end-user
desktops
161
SNMP agent
UDP
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components (continued)
Port
Description
Protocol
Direction
199
NetSNMP
TCP
443
Apache/https
TCP
514
Syslog
762
UDP
Required for
TCP port for the NetSNMP
daemon listening for
communications (v1, v2c, and
v3) from external log sources
Configuration downloads to
managed hosts from the
QRadar SIEM Console
Network File
TCP/UDP
System mount
daemon (mountd)
1514
Syslog-ng
TCP/UDP
2049
NFS
TCP
2055
NetFlow data
UDP
4333
Redirect port
TCP
5432
Postgres
TCP
6543
High Availability
heartbeat
TCP/UDP
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components (continued)
Port
Description
Protocol
Direction
Required for
7676, 7677,
and four
randomly
bound ports
above 32000.
Messaging
connections
(IMQ)
TCP
Message queue
communications between
components on a managed
host.
7777 to 7782,
7790, 7791
TCP
7789
HA Distributed
Replicated Block
Device (DRBD)
TCP/UDP
7800
Apache Tomcat
TCP
7801
Apache Tomcat
TCP
7803
Apache Tomcat
TCP
8000
Event Collection
Service (ECS)
TCP
From the Event Collector to the Listening port for specific Event
Collect Service (ECS) events
QRadar SIEM Console
8005
Apache Tomcat
TCP
None
8009
Apache Tomcat
TCP
8080
Apache Tomcat
TCP
9995
NetFlow data
UDP
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components (continued)
Port
Description
Protocol
Direction
Required for
10000
QRadar SIEM
TCP/UDP
23111
23333
Emulex Fibre
Channel
Web-Based
System
Administration
Interface
UDP
Management service
(elxmgmt)
32004
32005
Data flow
TCP
32006
Ariel queries
TCP
32009
Identity data
TCP
32010
Flow source
listening port
TCP
32011
32000-33999
TCP
Table 1-1 Listening Ports Used by QRadar SIEM, Services, and Components (continued)
Port
Description
Protocol
Direction
Required for
40799
PCAP data
TCP
SIEM
ICMP
All the ports listed in Table 1-1 can be tunneled, by encryption, through port 22 over
SSH.
Viewing Random
Port Associations
NOTE
Several ports allocate additional random port numbers for application services, for
example, Message Queues (IMQ). You can view additional port numbers using
telnet to connect to the localhost and look up the port number.
Random port associations are not static port numbers. If a service is restarted, the
ports generated for a service are reallocated and the service is provided with a
new set of port numbers.
To view randomly allocated ports, perform the following steps:
Step 1 Using SSH, log in to your QRadar SIEM Console, as the root user.
Login: root
Password: <password>
Step 2 Type the following command:
[imqvarhome=/opt/sun/mq/var,imqhome=/opt/sun/mq,sessionid=1067]
cluster_discovery tcp CLUSTER_DISCOVERY 55076
jmxrmi rmi JMX 0
[url=service:jmx:rmi://qradar.q1labs.inc/stub/rO0ABXNyAC5qYXZh]
admin tcp ADMIN 50825
jms tcp NORMAL 7677
cluster tcp CLUSTER 41771
Step 3 If no information is displayed, press the Enter key to terminate the connection.
Netstat is a command line tool used to determine which ports are in use on your
QRadar SIEM Console or managed host. The netstat command allows you to view
all listening and established ports on the system.
To use the netstat command, perform the following steps:
Step 1 Using SSH log in to your QRadar SIEM Console, as the root user.
Login: root
Password: <password>
Step 2 Type the following command:
netstat -nap
0
0
0
0
0
0
0
0
0.0.0.0:37
0.0.0.0:23333
127.0.0.1:199
0.0.0.0:1514
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
LISTEN
LISTEN
LISTEN
LISTEN
10163/xinetd
4615/elxhbamgrd
32116/snmpd
15522/syslog-ng
Step 3 To search for specific information from the netstat port list, type the following
command:
netstat -nap | grep <port>
Where <port> is the port number or search term for the netstat search.
For example:
NOTE
For more information on using the netstat command, type netstat ? for a list of
netstat options.
Notices
Trademarks
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information,
contact the IBM Intellectual Property Department in your country or send inquiries,
in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
12
Trademarks
13
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at Copyright and
trademark information at http:\\www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.