IBM Security QRadar WinCollect User Guide QNAD_71MR2_Win Collect_User_Guide QNAD 71MR2 Win Collect

User Manual: QNAD_71MR2_WinCollect_User_Guide user guide pdf - FTP File Search (13/20)

Open the PDF directly: View PDF PDF.
Page Count: 72

DownloadIBM Security QRadar WinCollect User Guide QNAD_71MR2_Win Collect_User_Guide QNAD 71MR2 Win Collect
Open PDF In BrowserView PDF
IBM Security QRadar

WinCollect User Guide V7.2

򔻐򗗠򙳰

Note: Before using this information and the product that it supports, read the information in “Notices and
Trademarks” on page 61.

© Copyright IBM Corp. 2011 All Rights Reserved US Government Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ABOUT THIS GUIDE
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Contacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Statement of good security practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1

WHAT’S NEW IN WINCOLLECT V7.2
Distributed WinCollect deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
64-bit installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Communication management port change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Automatic log source creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Updated installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Performance improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Agent installations on Windows XP systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Heart beats are no longer updated in the QRadar user interface . . . . . . . . . . . . . . . . 4
Stand-alone installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2

WINCOLLECT OVERVIEW
Distributed WinCollect agent installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3

INSTALLATION PREREQUISITES FOR WINCOLLECT
Distribution options for WinCollect agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Local collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Remote Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Deployment considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Communication between WinCollect agents and QRadar Event Collectors . . . . . . . . 7
Hardware and software requirements for the WinCollect host. . . . . . . . . . . . . . . . . . . 8
Event per second rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Prerequisites for upgrading WinCollect agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4

WINCOLLECT INSTALLATION
Installing the WinCollect agent RPM on QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating an authentication token for WinCollect agents . . . . . . . . . . . . . . . . . . . . . . 12
Installing the WinCollect agent on a WinCollect host. . . . . . . . . . . . . . . . . . . . . . . . . 13
Installing a WinCollect agent from the command-line interface . . . . . . . . . . . . . . . . . 15
Manually installing a WinCollect agent update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5

POST INSTALLATION INSTRUCTIONS FOR WINCOLLECT AGENTS
WinCollect agent management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Manually adding a WinCollect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Enabling or Disabling a WinCollect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Deleting a WinCollect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Destination management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Adding a destination to WinCollect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Deleting a destination from WinCollect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schedule management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration options for systems with restricted policies for domain controller
credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local installations with no remote polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring access to the registry for remote polling . . . . . . . . . . . . . . . . . . . . .
Configuring Windows event subscriptions for WinCollect agents . . . . . . . . . . . .

6

LOG SOURCES FOR

29
33
33
33
34
35
36
37
38

WINCOLLECT PLUG-IN REQUIREMENTS
Microsoft DHCP plug-in requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling DHCP event logs on your Microsoft Windows Server . . . . . . . . . . . . .
Microsoft IAS and NPS plug-in requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Microsoft IAS plug-in for WinCollect . . . . . . . . . . . . . . . . . . . . .
Microsoft IAS or NPS server log formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft IAS directory structure for event collection . . . . . . . . . . . . . . . . . . . . .
Microsoft ISA plug-in requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Microsoft ISA plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported Microsoft ISA or TMG server log formats . . . . . . . . . . . . . . . . . . . . .
Microsoft ISA directory structure for event collection . . . . . . . . . . . . . . . . . . . . .
File Forwarder plug-in requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft IIS plug-in requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft IIS directory structure for event collection . . . . . . . . . . . . . . . . . . . . . .
Microsoft SQL Server plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8

26
26
26
27

WINCOLLECT AGENTS

Adding a log source to a WinCollect agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration options for log sources that use WinCollect plug-ins . . . . . . . . . . . . .
Microsoft DHCP log source configuration options. . . . . . . . . . . . . . . . . . . . . . . .
Microsoft IAS log source configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft ISA log source configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .
File Forwarder log source configuration parameters. . . . . . . . . . . . . . . . . . . . . .
Microsoft IIS log source configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft SQL log source configuration options . . . . . . . . . . . . . . . . . . . . . . . . .
Adding multiple log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

24
25

42
42
43
43
43
43
44
44
45
46
46
46
47
47

XPATH QUERIES
Enabling remote log management on a Windows operating system . . . . . . . . . . . .
Windows 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows 2008R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a custom view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding an XPath log source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XPath query examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example: Monitor events for a specific user . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Credential logon for Windows 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

49
49
50
50
51
52
54
54
54

A

TROUBLESHOOTING A WINCOLLECT AGENT
Installation log examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Example: Missing authorization or Console IP address . . . . . . . . . . . . . . . . . . . . 58
Example: Installation stopped by user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Example: Installation file in use error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Troubleshooting device configuration issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Device Polling Overdue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

B

NOTICES AND TRADEMARKS
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

INDEX

ABOUT THIS GUIDE

The IBM Security QRadar WinCollect User Guide provides you with information for
how to install and configure WinCollect agents, and retrieve events from
Windows-based event sources.
The following IBM Security QRadar products support WinCollect:
•

IBM Security QRadar SIEM

•

IBM Security QRadar Log Manager

Intended audience

This guide is intended for the system administrator who is responsible for Windows
event sources or WinCollect agent installation and configuration in your QRadar
deployment or in your network. This guide assumes that you have QRadar
administrative access and a knowledge of your corporate network and networking
technologies.

Technical
documentation

For information about how to access more technical documentation in the QRadar
products library, see Accessing IBM Security QRadar Documentation Technical
Note. (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644)
To find IBM Security QRadar product documentation on the web, including all
translated documentation, access the IBM Knowledge Center
(http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).

Contacting
customer support

For information on contacting customer support, see the Support and Download
Technical Note.
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861)

Statement of good
security practices

IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse of
your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security
IBM Security QRadar WinCollect User Guide

2

ABOUT THIS GUIDE

measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a comprehensive
security approach, which will necessarily involve additional operational
procedures, and may require other systems, products or services to be most
effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR
SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

IBM Security QRadar WinCollect User Guide

1

WHAT’S NEW IN WINCOLLECT V7.2

WinCollect v7.2 includes updates.

Distributed
WinCollect
deployment

Using a distributed deployment, you can configure WinCollect agents to
communicate with an Event Collector. The Event Collector then sends the data to
your QRadar Console. You can manage your distributed deployment by using the
QRadar user interface. To use this feature, your QRadar system must be updated
to v7.2.1 Patch 3 or later.
Learn more

64-bit installation

For new installations, depending on your Windows operating system bit version,
you can download 32-bit or 64-bit WinCollect agent installer. If you are upgrading,
when you install the WinCollect agent RPM, the installer automatically detects the
operating system bit version.

Communication
management port
change

WinCollect now uses port 8413 for management communication.

Automatic log
source creation

When you install the WinCollect agent on a WinCollect host you can now configure
the agent to automatically create a log source in QRadar. This log source is
created when the agent first registers with QRadar. This log source will collect the
configured windows event log types from the Windows Server where the agent
was installed. This feature eliminates the need to set up a local log source for each
agent that is installed. Your QRadar system must be updated to v7.2.1 Patch 1 or
later.

Learn more

Learn more

Updated
installation process

When you install the WinCollect RPM, it now includes all of the WinCollect plugins.
You can configure the WinCollect agent installation to automatically create and
tune a QRadar log souce.
You can also set the syslog status server, which is useful if you set up a
stand-alone installation.

IBM Security QRadar WinCollect User Guide

4

WHAT’S NEW IN WINCOLLECT V7.2

Performance
improvements

There are many performance improvements, including significant increases to
EPS rates for tuned agents, both for local and remote collection. There are also
improvements to the agent logging and statistical information. See Table 3-2.

Agent installations
on Windows XP
systems

Installing the WinCollect agent is supported on Windows XP. See Table 3-2.

Heart beats are no
longer updated in
the QRadar user
interface

Heartbeats are supported as a syslog message and the QRadar user interface for
WinCollect agents is not updated. You will see new syslog messages for
heartbeats that you did not see in previous releases.

Stand-alone
installations

WinCollect agents can be installed in stand-alone mode. You can use an endpoint
management or software distribution product to manage the installation of your
stand-alone WinCollect agents
For more information about how to install stand-alone WinCollect agents, consult
Professional Services.

IBM Security QRadar WinCollect User Guide

2

WINCOLLECT OVERVIEW

WinCollect is an agent that collects Microsoft Windows-based events from local or
remote Windows-based systems and sends them to IBM Security QRadar.
WinCollect is an application that collects events by running as a service on a
Windows system. The WinCollect agent can also collect events from other
Windows servers where the agent is not installed. WinCollect is centrally managed
from the QRadar user interface. Each WinCollect agent deployed in your network
can collect and forward events to QRadar Console or Event Collector by using
syslog.

Distributed
WinCollect agent
installation process

You can configure multiple WinCollect agents to communicate with an Event
Collector that then sends the data to your QRadar Console. To install a distributed
WinCollect agent deployment, you must perform the following procedures:
1 Install the WinCollect agent RPM on your QRadar Console.
2 Create an authorization token for your WinCollect agents.
3 Create destinations for WinCollect events in your deployment.
4 Install the WinCollect agent on your WinCollect hosts and set the Configuration

Console as the IP of your Event Collector.
5 Wait for QRadar to automatically discover your WinCollect agents.

IBM Security QRadar WinCollect User Guide

3

INSTALLATION PREREQUISITES FOR
WINCOLLECT
Before you can install WinCollect agents, you must verify your deployment meets
the installation requirements.

Distribution
options for
WinCollect agents

WinCollect agents can be distributed in a remote collection configuration or
installed on the local host. The following WinCollect collection methods are
available: local and remote.

Local collection

The WinCollect agent collects events only for the host on which it is installed. You
can use this collection method on a Windows host that is busy or has limited
resources, for example, domain controllers.

Remote Collection

The WinCollect agent is installed on a single host and collects events from multiple
Windows systems. Remote collection allows you to easily scale the number of
Windows log sources that you can monitor.

Deployment
considerations

Communication
between
WinCollect agents
and QRadar Event
Collectors

Use the following strategies to reduce the impact to system performance:
•

To reduce the total number of agents, use remote collection where one agent
monitors many endpoints.

•

If you update a group of WinCollect agents, do it during off-peak operating
hours.

•

Deploy and manage the WinCollect agents in groups of 100 and monitor
system performance for issues.

Open ports are required for data communication between WinCollect agents and
the QRadar host, and between WinCollect agents and the hosts that they remotely
poll.
WinCollect agent communication to QRadar Console and Event Collectors
All WinCollect agents communicate with the QRadar Console and Event Collectors
to forward events to QRadar and request updated information.
You must ensure firewalls that are between the QRadar Event Collectors and your
WinCollect agents allow traffic on the following ports:
•

Port 8413 (management communication) is required for managing the
WinCollect agents. Port 8413 is used for features such as the heartbeat and
IBM Security QRadar WinCollect User Guide

8

INSTALLATION PREREQUISITES FOR WINCOLLECT

configuration updates. Traffic is always initiated from the WinCollect agent. This
traffic is sent over TCP and communication is encrypted.
•

Port 514 (syslog events) is used by the WinCollect agent to forward syslog
events to QRadar. You can configure WinCollect log sources to provide events
by using TCP or UDP. You can decide which transmission protocol is required
for each WinCollect log source. Port 514 traffic is always initiated from the
WinCollect agent.

WinCollect agents remotely polling Windows event sources
WinCollect agents that remotely poll other Windows operating systems for events
include have extra port requirements.
The following ports are used when WinCollect agents remotely poll for
Windows-based events:
Table 3-1 Port usage for WinCollect remote polling

Protocol and port Usage
TCP port 135

Microsoft Endpoint Mapper

UDP port 137

NetBIOS name service

UDP port 138

NetBIOS datagram service

TCP port 139

NetBIOS session service

TCP port 445

Microsoft Directory Services for file transfers that
use Windows share

Collecting events by polling remote Windows systems uses dynamic RPC. To use
dynamic RPC, you must allow inbound traffic to the Windows system that
WinCollect attempts to poll for events on port 135. Port 135 is used for Endpoint
Mapping by Windows.
If you remotely poll any Windows operating system other than the Windows Vista
operating system, you might need to allow ports in the range between 1024 and
port 5000. You can configure Windows to restrict the communication to specific
ports for the older versions of Windows Firewall, for example Windows XP. For
more information, see your Windows documentation.

Hardware and
software
requirements for
the WinCollect host

The Windows system that hosts the WinCollect agent must meet the following
minimum requirements:
Table 3-2 WinCollect host hardware and software requirements

Requirement

Description

Memory

8GB (2GB reserved for the WinCollect agent)

Processing

Intel Core 2 Duo processor 2.0 GHz

IBM Security QRadar WinCollect User Guide

Event per second rates

9

Table 3-2 WinCollect host hardware and software requirements

Requirement

Description

Disk space

3 GB of available disk space for software and log
files
6 GB might be required if events are stored on a
schedule

Available
processor
resources

20%

Supported
• Windows Server 2003
operating systems • Windows Server 2008
•

Windows Server 2008R2

•

Windows Server 2012

•

Windows 7

•

Windows Vista

•

Windows XP

Required user role Administrator
permissions
Distribution

One WinCollect agent for each host.

To tune your installation to improve the performance of a single WinCollect agent,
contact IBM Professional Services.

Event per second
rates

Before you install your WinCollect agents, it is important to understand the number
of events that can be collected by a WinCollect agent.
The event per second (EPS) rates in Table 3-3 represent a test network. This
information can help you determine the number of WinCollect agents that you
need to install on your network. WinCollect supports default EPS rates and also
supports tuning, which allows you to improve the performance of a single
WinCollect agent. You can tune local collection as part of the agent installation.
Improving the performance of existing installations and remote collection must be
done with the help of IBM Professional Services or IBM Customer Support.
Exceeding these EPS rates without tuning can cause you to experience
performance issues or event loss, especially on busy systems.
The following table describes the default EPS rate in our test environment:

Table 3-3 WinCollect test environment

Installation Type

Tuning

EPS

Log Sources

Total EPS

Local Collection

Default

250

1

250

Remote Collection

Default

5 - 10

500

2500

IBM Security QRadar WinCollect User Guide

10

INSTALLATION PREREQUISITES FOR WINCOLLECT

Table 3-3 WinCollect test environment

Installation Type

Tuning

EPS

Log Sources

Total EPS

Local Collection

Tuned

5000

1

5000

Remote Collect

Tuned

varies

varies

2500+

Tuning an agent to increase the EPS rates for remote event collection is highly
dependent on your network, the number of log sources you assign to the agent,
and the number of events generated by each log source.

Prerequisites for
upgrading
WinCollect agents

Before you upgrade WinCollect agents, ensure that the following conditions are
met:
1 If you are running QRadar V7.1 (MR2), ensure that WinCollect agent

7.1.0-QRADAR-AGENT-WINCOLLECT-7.1-613263 is installed.
2 If you are running QRadar V7.2.0 or later, ensure that WinCollect agent

7.2.0-QRADAR-AGENT-WINCOLLECT-7.2-613265 is installed.
You can confirm the version of the installed WinCollect agent by using one of the
following methods:
•

In QRadar, select Help > About, then select the link “Additional Release
Information”.

•

Use ssh to log in to the QRadar console, and run the following command:

rpm -qa | grep -i AGENT-WINCOLLECT
Note: Before you install the new WinCollect agent, open the WinCollect panel in
the Admin tab, and ensure that all WinCollect agents are listed as version 7.1.2.
If you installed AGENT-WINCOLLECT-7.1-613263 or
AGENT-WINCOLLECT-7.2-613265, but one or more agents are still listed as
version 7.1.1, ensure that you wait for the V7.1.2 update to be replicated to the
agents.
Before you installed the WinCollect agent, the replication time setting was
specified by the Configuration Poll Interval in the WinCollect Agent Configuration
panel.

IBM Security QRadar WinCollect User Guide

WINCOLLECT INSTALLATION

4

To install WinCollect on a Windows-based host, you must download and install a
WinCollect agent RPM on QRadar, create an authentication token, and then install
a WinCollect agent on a Windows-based host. Install the WinCollect agent on each
Windows-based host from which you want to collect events or on the host that you
want to use for remote collection.
First time installations require that you install both the WinCollect agent RPM and
the WinCollect agent executable (.exe)
Upgrades require that you install only the WinCollect agent RPM. If automatic
updates are enabled, the WinCollect agent RPM sends updates to all of the
WinCollect agents.

Installing the
WinCollect agent
RPM on QRadar

To use the QRadar user interface to manage a distributed deployment of
WinCollect agents, you must install the WinCollect agent RPM on your QRadar
Console. This agent includes the required protocol to enable communication
between QRadar system and the managed WinCollect hosts.
Procedure

Step 1 Download the WinCollect agent RPM file from the following website:

http://www.ibm.com/support
Step 2 Copy the RPM to your QRadar system.

Log in to QRadar as the root user.
Step 3 Type the following command:

rpm -Uvh
AGENT-WINCOLLECT--.noarch.rpm
Step 4 To install the protocol files, type the following command:

yum groupinstall wincollect
Step 5 If you are prompted for configuration, type y.
Step 6 Log in to QRadar.
Step 7 On the Admin tab toolbar, select Advanced > Deploy Full Configuration.
Step 8 As the root user, run the following command: service tomcat restart

IBM Security QRadar WinCollect User Guide

12

WINCOLLECT INSTALLATION

Creating an
authentication
token for
WinCollect agents

Third-party or external applications that interact with QRadar require an
authentication token. Before you install WinCollect agents in your network, you
must create an authentication token. This authentication token is required for every
WinCollect agent you install.
About this task
In the Manage Authorized Services window, you must select a user role that you
want to use this authentication token. For most configurations, the All user role
can be selected. The Admin user role provides more privileges, which can create
a security concern.
The authentication token allows WinCollect agents to exchange data with QRadar
appliances. Create one authentication token for all of your WinCollect agents that
communicate events with your QRadar host. If the authentication token expires,
the WinCollect agent cannot receive log source configuration changes.
Procedure

Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Authorized Services icon.
Step 4 Click Add Authorized Service.

In the Manage Authorized Services window, configure the parameters.
Table 4-4 Add Authorized Services parameters

Perameter

Description

Service Name

Type a name for this authorized service. The name
can be up
to 255 characters in length. For example, WinCollect
Agent.

User Role

From the list box, select a user role.
Administrators can create a user role or assign a
default user role to the authorization token. For most
configurations, the All user role can be selected.
Note: The admin user role provides additional
privileges, which can create a security concern and
should not be used.

IBM Security QRadar WinCollect User Guide

Installing the WinCollect agent on a WinCollect host

13

Table 4-4 Add Authorized Services parameters

Perameter

Description

Expiry Date

Type or select an expiry date using the calendar
provided. Alternately, select the No Expiry check
box to indicate you do not want the service token to
expire. The Expiry Date field allows you to define a
date when you want this service to expire. If the date
defined expires, the service is no longer authorized
and a new authorization token needs to be
generated by an administrator. By default, the
authorized service is valid for 30 days.

Step 5 Click Create Service.
Step 6 Record the generated authentication token value.

Installing the
WinCollect agent
on a WinCollect
host

You can install the WinCollect agents on Windows-based hosts in your network.
The WinCollect agent collects Windows-based events and sends them to your
QRadar Console or QRadar Event Collector.
When you install WinCollect, you can now choose to have QRadar automatically
create a log source for the WinCollect agent host that is based on the agent
registration with QRadar. You can also specify a forwarding destination host for the
log source data. To use this feature, your QRadar system must be updated to
v7.2.1 Patch 1 or later.
Before you begin
Ensure that the following conditions are met:
•

You created an authentication token for the WinCollect agent.

•

You must add a WinCollect destination before you configure automatic log
source creation. The WinCollect agent sends the Windows event logs to the
configured destination. The destination can be the console or an Event
Collector. See Adding a destination to WinCollect.

•

If you want to automatically create a log source for this agent, you must know
the name of the destination that you want to send your Windows log source to.
See Adding a destination to WinCollect. If you do not remember the
destination name, click Admin > Data Sources > WinCollect > Destinations.

•

Hardware and software requirements for the WinCollect host

•

Communication between WinCollect agents and QRadar Event Collectors.

Procedure
Step 1 Download the WinCollect agent setup file from the following website:

http://www.ibm.com/support

IBM Security QRadar WinCollect User Guide

14

WINCOLLECT INSTALLATION

Note: If the Services window is open on the Windows host, the WinCollect agent
installation fails.
Step 2 Right-click the WinCollect agent installation file and select Run as administrator.
Step 3 Follow the prompts in the installation wizard. The following table describes some of

the parameters.
Table 4-5 WinCollect installation wizard parameters

Parameter

Description

Host Identifier

Type a name to identify the WinCollect agent to the
QRadar Console. You must use a unique identifier
for each WinCollect agent you install. The name you
type in this field is displayed in the WinCollect agent
list of the QRadar Console.

Authentication
Token

Type the authentication token you created in QRadar
for the WinCollect agent.
For example,
af111ff6-4f30-11eb-11fb-1fc117711111
For more information on creating an authorization
token for WinCollect, see Creating an
authentication token for WinCollect agents.
Required for all installations, except stand-alone
mode. Leave blank for stand-alone mode
installations. Type the IP address or host name of
your QRadar console. For example, 100.10.10.1 or
hostname.

Configuration
console

Note: This parameter is intended for the QRadar
console only. Do not specify an Event Collector or
non-console appliance in this field. To use an event
collector as your configuration console, your QRadar
system must be updated to V7.2.1 Patch 3 or later.
Log Source Name Required. The name can be up to 255 characters in
length.
Log Source
Identifier

Required if the Enable Automatic Log Source
Creation checkbox is selected. Identifies the remote
device that the WinCollect agent polls.

Event Logs

Select the Window event logs that you want the log
source to collect and send to QRadar.

Target Destination The WinCollect Destination must be configured in
QRadar before proceeding.

IBM Security QRadar WinCollect User Guide

Installing a WinCollect agent from the command-line interface

15

Table 4-5 WinCollect installation wizard parameters

Parameter

Description

Advanced Tuning

Machine Poll Interval (msec) is the polling interval
that determines the number of milliseconds (msec)
between queries to the Windows host

Minimum number
of logs to process
per pass

•

Use a polling interval of 3500 when the
WinCollect agent collects events from computers
that have a low event per second rate, for
example, collecting from 50 remote computers
that provide 20 events per second or less.

•

Use a polling interval of 1000 when the
WinCollect agent collects events from a small
number of remote computers that have a high
event per second rate, for example collecting from
10 remote computers that provide 100 events per
second or less.
The minimum polling interval is 100 milliseconds
(.1 seconds). The default is 3000 milliseconds or
3 seconds.

Consult IBM Customer Support prior to changing
these values.

Maximum number Consult IBM Customer Support prior to changing
of logs to process these values.
per pass

If you want to enable automatic log source creation, your QRadar Console or
Event Collector must be installed with QRadar 7.2.1 Maintenance Release 1 Patch
1 or later.

Installing a
WinCollect agent
from the
command-line
interface

Use the command-line interface (CLI) to install a WinCollect agent on a host
without the installation wizard.
Command-line installations deploy WinCollect agents simultaneously to multiple
remote systems that use third-party products remote or batch installations.
About this task
The WinCollect installer uses the following parameters:
Table 4-6 WinCollect installer parameters

Parameters

Description

/qn

Runs the WinCollect agent installation without
a user interface.

IBM Security QRadar WinCollect User Guide

16

WINCOLLECT INSTALLATION

Table 4-6 WinCollect installer parameters (continued)

Parameters

Description

INSTALLDIR

The installation directory for the WinCollect
agent. Your directory name cannot include
spaces and quotation marks enclose the
directory path, for example,
INSTALLDIR=“C:\IBM\WinCollect\”

AUTHTOKEN=token

Authorizes the WinCollect service, for
example,
AUTH_TOKEN=af111ff6-4f30-11eb-11fb-1fc1
17711111

HOSTNAME=host name

The identifiable name, IP address or host
name for the WinCollect agent host. The at
(@) symbol is not allowed in the host identifier
field.

FULLCONSOLEADRESS=host_addr The IP address or host name of your QRadar
ess
Console or Event Collector, for example,
FULLCONSOLEADRESS=100.10.10.1.
Your QRadarsystem must be updated to
v7.2.1 Patch 3 or later if you want to configure
the agent to use an Event Collector as its
FULLCONSOLEADRESS
LOG_SOURCE_AUTO_CREATION

Enables automatic log source creation. If you
enable this parameter, you must configure the
log source parameters.
This feature requires that your QRadar
system be updated to v7.2.1 Patch 1or later.

LOG_SOURCE_AUTO_CREATION_ Defines the parameters that you want the log
PARAMETERS
source creation process to use. Ensure that
each parameter uses the format:
Parameter_Name=value.The parameters
are separated with ampersands (&).
This feature requires that your QRadar
system be updated to v7.2.1 Patch 1 or later.
Log source creation uses the following
parameters:
Component1.AgentDevice

Required. Must be 'DeviceWindowsLog'

Component1.Action

Required. Must be ‘create’

Component1.LogSourceName

Not required. The name of the log source that
is created. The default is
WindowsAuthServer @


Component1.LogSourceIdentifier

Required. Must be the IP or hostname of the
system that the agent is installed on

Component1.Destination.Name

Required if Component1.Destination.Id is not
set

IBM Security QRadar WinCollect User Guide

Installing a WinCollect agent from the command-line interface

17

Table 4-6 WinCollect installer parameters (continued)

Parameters

Description

Component1.CoalesceEvents

Not required. True or False. For more
information see the Log Sources User Guide.

Component1.StoreEventPayload

Not required. True or False. For more
information see the Log Sources User Guide.

Component1.Encoding

Not required. The default character encoding
is UTF-8.

Component1.Log.Application

Required

Component1.Log.Security

Required

Component1.Log.System

Required

Component1.Log.DNS+Server

Required

Component1.Log.Directory+Service

Required

Component1.Log.File+Replication+S Required
ervice

Procedure
Step 1 Download the WinCollect agent setup file from the following website:

http://www.ibm.com/support
Step 2 From the desktop, select Start > Run.
Step 3 Type the following command:

cmd
Step 4 Click OK.
Step 5 Navigate to the download directory that contains the WinCollect agent setup file.

Note: The Services window cannot be open on the Windows host or the
WinCollect agent installation fails.
Step 6 Type the following command:

AGENT-WinCollect-7.2.0.-setup.exe /s /v"/qn
INSTALLDIR=”C:\IBM\WinCollect" AUTHTOKEN=token
FULLCONSOLEADRESS=host_address HOSTNAME=hostname
LOG_SOURCE_AUTO_CREATION=true|false
LOG_SOURCE_AUTO_CREATION_PARAMETERS=”parameters”””

The following example shows an installation where the log source is automatically
created.
AGENT-WinCollect--setup.exe /s /v"/qn
INSTALLDIR="C:\IBM\WinCollect"
AUTHTOKEN=eb59386c-e098-49b8-ba40-d6fb46bfe7d1
FULLCONSOLEADDRESS=:8413 HOSTNAME=
LOG_SOURCE_AUTO_CREATION_ENABLED=True
LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=De
IBM Security QRadar WinCollect User Guide

18

WINCOLLECT INSTALLATION

viceWindowsLog&Component1.Action=create&Component1.LogSourceNam
e=LSN2&Component1.LogSourceIdentifier=&Component1.D
estination.Na:me=Dest1&Component1.CoalesceEvents=True&Component
1.StoreEventPayload=True&Component1.Encoding=UTF-8&Component1.L
og.Application=True&Component1.Log.Security=True&Component1.Log
.System=True&Component1.Log.DNS+Server=False&Component1.Log.Dir
ectory+Service=False&Component1.Log.File+Replication+Service=Fa
lse"""

The following example shows an installation where automatic log creation is not
used:
AGENT-WinCollect--setup.exe /s /v"/qn
INSTALLDIR="C:\IBM\WinCollect"
AUTHTOKEN=eb59386c-e098-49b8-ba40-d6fb46bfe7d1
FULLCONSOLEADDRESS=HOSTNAME=) symbol to add a destination to the schedule.
Step 11 Click Next.
Step 12 Click Finish.

IBM Security QRadar WinCollect User Guide

26

POST INSTALLATION INSTRUCTIONS FOR WINCOLLECT AGENTS

Configuration
options for
systems with
restricted policies
for domain
controller
credentials

To collect events from remote systems without using domain administrator
credentials, alternative configuration options are available.
WinCollect requires credentials based on the type of collection that you are
attempting to use for your WinCollect log sources.
When WinCollect agents collect events from the local host, the event collection
service uses the Local System account credentials to collect and forward events.
Local collection requires that you install a WinCollect agent on a host where local
collection occurs.
Remote collection inside or across a Windows domain might require domain
administrator credentials to ensure that events can be collected. If your corporate
policies restrict the use of domain administrator credentials, you might be required
to complete more configuration steps for your WinCollect deployment.

Local installations
with no remote
polling

You can install WinCollect locally on each host that you cannot remotely poll.
After you install WinCollect, QRadar automatically discovers the agent and you
can create a WinCollect log source. You can specify to use the local system by
selecting the Local System check box in the log source configuration.
Local installations are suitable for domain controllers where the large event per
second (EPS) rates can limit the ability to remotely poll for events from these
systems. A local installation of a WinCollect agent provides scalability for busy
systems that send bursts of events when user activity is at peak levels.

Configuring access
to the registry for
remote polling

You can configure a local policy for your Windows systems to allow a WinCollect
log source to remotely poll for events.
Configure a user account or group with the Manage auditing and security logs
option in their Local Security Policy editor.
When a local policy is configured on each system that you want to remotely poll, a
single WinCollect agent uses the Windows Event Log API to read the remote
registry and retrieve event logs. The Windows Event Log API does not require
domain administrator credentials; however, the Event API method does require an
account that has access to the remote registry and to the security event log.
With this collection method, the log source can remotely read the full event log, but
requires WinCollect to parse the retrieved event log information from the remote
host against cached message content. WinCollect uses version information from
the remote operating system to ensure that the message content is correctly
parsed before it forwards the event to QRadar.

IBM Security QRadar WinCollect User Guide

Configuration options for systems with restricted policies for domain controller credentials

27

Procedure
Step 1 Log on to the Windows computer that you want to remotely poll for events.
Step 2 Select Start > Programs > Administrative Tools, and then click Local Security

Policy.
Step 3 From the navigation menu, select Local Policies > User Rights Assignment.
Step 4 Right-click on Manage auditing and security log and select Properties.
Step 5 From the Local Security Setting tab, click Add User or Group to add your

WinCollect user to the local security policy.
Step 6 Log off of the Windows host and try to poll the remote host for Windows-based

events that belong to your WinCollect log source.
If you cannot collect events for the WinCollect log source, verify that your group
policy does not override your local policy. You can also verify that the local firewall
settings on the Windows host allow remote event log management.
Configuring
Windows event
subscriptions for
WinCollect agents

To provide events to a single WinCollect agent, you can use Microsoft event
subscriptions to forward events on each Windows system to provide events. With
event subscriptions configured, numerous Windows hosts can forward their events
to QRadar without administrator credentials.
To use event subscriptions, you must do these tasks:
1 Configure event subscriptions on your Windows hosts.
2 Configure a log source on the WinCollect agent that receives the events. The

WinCollect log source must have the Local System check box and Forwarded
Events check box selected.
The events collected are defined by the configuration of the event subscription on
the remote host that sends the events. WinCollect forwards all of the events sent
by the subscription configuration, regardless of what event log check boxes are
selected for the log source.
Event subscriptions only apply to WinCollect agents and hosts that are configured
on the following Windows operating systems:
•

Windows 8

•

Windows 7

•

Windows Server 2008 R2

•

Windows Server 2012

•

Windows Vista

For more information about event subscriptions, see your Microsoft documentation
or the following website: http://technet.microsoft.com/en-us/library/cc749183.aspx.

IBM Security QRadar WinCollect User Guide

6

LOG SOURCES FOR
AGENTS

WINCOLLECT

A single WinCollect agent can manage and forward events from the local system
or remotely poll a number of Windows-based log sources and operating systems
for their events.
Log sources that communicate through a WinCollect agent can be added
individually. If the log sources contain similar configurations, you can
simultaneously add multiple log sources. A change to an individually added log
source updates only the individual log source. A change made to a group of log
sources updates all of the log sources in the log source group.

Adding a log
source to a
WinCollect agent

You can add a log source to a specific WinCollect agent in your deployment. When
you add a new log source to a WinCollect agent or edit the parameters of a log
source, the WinCollect service is restarted. The events are cached while the
WinCollect service restarts on the agent.
Before you begin
If you want to configure a log source that uses a WinCollect plug-in, you must read
the requirements and perform the necessary steps to prepare the third-party
device. For more information, see WinCollect plug-in requirements.
About this task
Use the Log Filter Type parameter to configure the log source to ignore events
that are filtered by log type. You can also configure WinCollect agents to ignore
events globally by ID code or log source. Exclusion filters for events are available
for the following log types:
•

Security

•

System

•

Application

•

DNS Server

•

File Replication Service

•

Directory Service

Global exclusions use the EventIDCode field from the event payload. To
determine the values that are excluded, source and ID exclusions use the
IBM Security QRadar WinCollect User Guide

30

LOG SOURCES FOR

WINCOLLECT AGENTS

Source= field and the EventIDCode= field of the Windows event payload.
Separate multiple sources by using a semi-colon.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the WinCollect icon.
Step 4 Click Agents.
Step 5 Select the WinCollect agent, and click Log Sources.
Step 6 Click Add.
Step 7 Choose one of the following options:

•

For a WinCollect log source, select Microsoft Windows Security Event Log
from the Log Source Type list and then select WinCollect from the Protocol
Configuration list.

•

If this log source uses a WinCollect plug-in, configure the plug-in specific
parameters. For more information about these parameters, see Configuration
options for log sources that use WinCollect plug-ins.

Step 8 Configure the common parameters.

The following table describes the common parameters:
Table C-1 WinCollect log source parameters

Parameter

Description

Log Source Identifier

The IP address or host name of a remote Windows
operating system from which you want to collect
Windows-based events. The log source identifier must
be unique for the log source type.
The Log Source Identifier field in a WinCollect log
source is used to poll events from remote sources.

Local System

Disables remote collection of events for the log source.
The log source uses local system credentials to collect
and forward events to the QRadar.

Domain

The Windows domain that includes the Windows log
source. This parameter is optional.
The following examples use the correct syntax: LAB1,
server1.mydomain.com
The following example uses incorrect
syntax:\\mydomain.com

Application or Service Log
Type

Optional. Used for XPath queries. Provides a
specialized XPath query for products that write their
events as part of the Windows application log. This
allows you to separate Windows events from events
that is classified to a log source for another product.

IBM Security QRadar WinCollect User Guide

Adding a log source to a WinCollect agent

31

Table C-1 WinCollect log source parameters (continued)

Parameter

Description

Log Filter Type

Configures the WinCollect agent to ignore specific
events from the Windows event log.

Forwarded Events

Enables QRadar to collect events that are forwarded
from remote Windows event sources that use
subscriptions.
Forward events that use event subscriptions are
automatically discovered by the WinCollect agent and
forwarded as if they are a syslog event source. When
you configure event forwarding from your Windows
system, enable event pre-rendering.

Event Types

At least one event type must be selected.

Enable Active Directory
Lookups

If the WinCollect agent is in the same domain as the
domain controller that is responsible for the Active
Directory lookup, you can select this check and leave
the override domain and DNS parameters blank.

Override Domain Controller The IP address or host name of the domain controller
Name
that is responsible for the Active Directory lookup.
Required when the domain controller that is responsible
for Active Directory lookup is outside of the domain of
the WinCollect agent.
Override DNS Domain
Name

The fully qualified domain name of the DNS server that
is responsible for the Active Directory lookup.
This example shows a fully qualified domain name:
wincollect.com.

Remote Machine Poll
Interval (ms)

The number of milliseconds between queries that poll
remote Windows hosts for new events. The higher the
expected event rate, the more frequently the WinCollect
agent needs to poll remote hosts for events.
•

Use 7500 when the WinCollect agent collects events
from a large number of remote computers that have
a low event per second rate, for example, 100
remote computers that provide 10 events per second
or less.

•

Use 3500 when the WinCollect agent collects events
from a large number of remote computers that have
a low event per second rate, for example, 50 remote
computers that provide 20 events per second or
less.

•

Use 1000 when the WinCollect agent collects events
from a small number of remote computers that have
a high event per second rate, for example, 10
remote computers that provide 100 events per
second or less.

IBM Security QRadar WinCollect User Guide

32

LOG SOURCES FOR

WINCOLLECT AGENTS

Table C-1 WinCollect log source parameters (continued)

Parameter

Description

XPath Query

Structured XML expressions that you can use to
retrieve customized events from the Windows security
event log.
If you specify an XPath Query to filter events, the check
boxes that you selected from the Standard Log Type
or Event Type are ignored and the events that are
QRadar collects use the contents of the XPath Query.
To collect information by using an XPath Query, you
might be required to enable Remote Event Log
Management on Windows 2008. For more information,
see XPath queries.
Microsoft Server 2003 does not support XPath Queries
for events.

Credibility

The credibility indicates the integrity of an event or
offense as determined by the credibility value from the
source devices. Credibility increases if multiple sources
report the same event.

Target Internal Destination

Managed hosts with an event processor component in
the Deployment Editor can be the target of an internal
destination.

Target External Destination Forwards your events to one or more external
destinations that you have configured in your
destination list.
Coalescing Events

Enables the log source to coalesce (bundle) events.
By default, automatically discovered log sources inherit
the value of the Coalescing Events list from the
System Settings properties in QRadar. However,
when you create or edit a log source, you can select the
Coalescing Events check box to coalesce events for
an individual log source.

Store Event Payload

Enables the log source to store event payload
information.
By default, automatically discovered log sources inherit
the value of the Store Event Payload list from the the
System Settings properties in QRadar. However,
when you create or edit a log source, you can select the
Store Event Payload check box to retain the event
payload for an individual log source.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

IBM Security QRadar WinCollect User Guide

Configuration options for log sources that use WinCollect plug-ins

Configuration
options for log
sources that use
WinCollect plug-ins
Microsoft DHCP log
source configuration
options

Each WinCollect plug-in has a unique set of configuration options. Use this
reference to configure the plug-in specific log source parameters.

The following table describes the log source configuration options for the Microsoft
DHCP plug-in:
Table C-2 Protocol parameters for WinCollect Microsoft DHCP

Parameter

Description

Log Source Type

Microsoft DHCP

Protocol Configuration

WinCollect Microsoft DHCP

Local System

To collect local events, the WinCollect agent must be
installed on the same host as your Microsoft DHCP
Server. The log source uses local system credentials to
collect and forward events to the QRadar.

Folder Path

The directory path to your DHCP event logs.

File Pattern

Microsoft IAS log
source configuration
options

33

•

For a local directory path, use
c:\WINDOWS\system32\dhcp

•

For a remote directory path, use \\DHCP IP
address\c$\Windows\System32\dhcp

Type the regular expression (regex) required to filter
the filenames. All files that match the pattern are
included in the processing. The default file pattern is .*
and matches all files in the Folder Path field.

The following table describes the log source configuration options for the Microsoft
IAS plug-in:
Table C-3 Protocol parameters for WinCollect Microsoft IAS

Parameter

Description

Log Source Type

Microsoft IAS Server

Protocol Configuration

WinCollect Microsoft IAS / NPS

Local System

To collect local events, the WinCollect agent must be
installed on the same host as your Microsoft IAS server.
The log source uses local system credentials to collect
and forward events to the QRadar.

Root Directory

The directory path to your IAS event logs.
•

For a local directory path, use
%WINDIR%\System32\Logfiles

•

For a remote directory path, use \\\c$\Windows\System32\Logfiles

IBM Security QRadar WinCollect User Guide

34

LOG SOURCES FOR

WINCOLLECT AGENTS

Table C-3 Protocol parameters for WinCollect Microsoft IAS (continued)

Parameter

Description

File Monitor Policy

•

Notification-based (local) uses the Windows file
system notifications to detect changes to your event
log.

•

Polling-based (remote) monitors changes to
remote files and directories. The agent polls the
remote event log and compares the file to the last
polling interval. If the event log contains new events,
the event log is retrieved.

Polling Interval

Microsoft ISA log
source configuration
options

The polling interval, which is the amount of time
between queries to the root log directory for new
events.

The following table describes the log source configuration options for the Microsoft
ISA plug-in:
Table C-4 Protocol parameters for WinCollect Microsoft ISA

Parameter

Description

Log Source Type

Microsoft ISA

Protocol Configuration

WinCollect Microsoft ISA / Forefront TMG

Local System

To collect local events, the WinCollect agent must be
installed on the same host as your Microsoft ISA or
Forefront TMG server. The log source uses local
system credentials to collect and forward events to the
QRadar.

IBM Security QRadar WinCollect User Guide

Configuration options for log sources that use WinCollect plug-ins

35

Table C-4 Protocol parameters for WinCollect Microsoft ISA (continued)

Parameter

Description

Root Directory

The directory path to your ISA event logs.

When you specify a remote file path, use a dollar
sign ($) instead of a colon (:) to represent your drive
name.
Microsoft ISA 2004
•

For a local directory path, use \MicrosoftISAServer\ISALogs\

•

For a remote directory path, use \\\MicrosoftISAServer\ISALogs\

Microsoft ISA 2006
•

For a local directory path, use
%systemroot%\LogFiles\ISA\

•

For a remote directory path, use \\%systemroot%\LogFiles\ISA\

Microsoft Threat Management Gateway

File Monitor Policy

Polling Interval

File Forwarder log
source configuration
parameters

•

For a local directory path, use \\ISALogs\

•

For a remote directory path, use \\\\\ISALogs\

•

Notification-based (local) uses the Windows file
system notifications to detect changes to your event
log.

•

Polling-based (remote) monitors changes to
remote files and directories. The agent polls the
remote event log and compares the file to the last
polling interval. If the event log contains new events,
the event log is retrieved.

The amount of time between queries to the root log
directory for new events.

The following table describes the log source configuration options for the File
Forwarder plug-in:
Table C-5 File Forwarder protocol parameters

Parameter

Description

Log Source Type

Universal DSM

Protocol Configuration

WinCollect File Forwarder

Local System

Disables remote collection of events for the log source.
The log source uses local system credentials to collect
and forward events to the QRadar.

IBM Security QRadar WinCollect User Guide

36

LOG SOURCES FOR

WINCOLLECT AGENTS

Table C-5 File Forwarder protocol parameters (continued)

Parameter

Description

Root Directory

The location of the log files to forward to QRadar.
If the WinCollect agent remotely polls for the file, the
root log directory must specify both the server and the
folder location for the log files. For example,
\\server\sharedfolder\remotelogs\.

File Pattern

The regular expression (regex) required to filter the file
names. All matched files are included in the processing.
The default file pattern is .* and matches all files in the
Root Directory field.

Monitoring Algorithm

•

Continuous Monitoring is intended for files
systems that append data to log files.

•

File Drop is used for the log files in the root log
directory that are read one time, and then ignored in
the future.

•

Notification-based (local) uses the Windows file
system notifications to detect changes to your event
log.

•

Polling-based (remote) monitors changes to
remote files and directories. The agent polls the
remote event log and compares the file to the last
polling interval. If the event log contains new events,
the event log is retrieved.

•

Text (file held open) - The system that generates
your event log continually leaves the file open to
append events to the end of the file.

•

Text (file open when reading) - The system that
generates your event log opens the event log from
the last known position, and then writes events and
closes the event log.

•

Memory Mapped Text (local only) - Select this
option only when advised by Professional Services.
This option is used when the system that generates
your event log polls the end of the event log for
changes. This option requires the Local System
check box to be selected.

File Monitor Type

File Reader Type

Microsoft IIS log
source configuration
options

The following table describes the log source configuration options for the Microsoft
IIS plug-in:
Table C-6 Protocol parameters for WinCollect Microsoft IIS

Parameter

Description

Log Source Type

Microsoft IIS

Protocol Configuration

WinCollect Microsoft IIS

IBM Security QRadar WinCollect User Guide

Configuration options for log sources that use WinCollect plug-ins

37

Table C-6 Protocol parameters for WinCollect Microsoft IIS (continued)

Microsoft SQL log
source configuration
options

Parameter

Description

Root Directory

The directory path to your Microsoft IIS log files.
•

For Microsoft IIS 6.0 (full site), use
%SystemRoot%\LogFiles

•

For Microsoft IIS 6.0 (individual site), use
%SystemRoot%\LogFiles\site name

•

For Microsoft 7.0-8.0 (full site), use
%SystemDrive%\inetpub\logs\LogFiles

•

For Microsoft IIS 7.0-8.0 (individual site), use
%SystemDrive%\inetpub\logs\LogFiles\site name

Polling Interval

The amount of time between queries to the root log
directory for new events.

Protocol Logs

Specifies what items to collect from Microsoft IIS.
Select one or more of the following options:
•

FTP

•

NNTP/News

•

SMTP/Mail

•

W3C

The following table describes the log source configuration options for the Microsoft
SQL plug-in:
Table C-7 Protocol parameters for WinCollect Microsoft SQL

Parameter

Description

Log Source Type

Microsoft SQL

Protocol
Configuration

WinCollect Microsoft SQL

IBM Security QRadar WinCollect User Guide

38

LOG SOURCES FOR

WINCOLLECT AGENTS

Table C-7 Protocol parameters for WinCollect Microsoft SQL (continued)

Parameter

Description

Root Directory

The directory path to your SQL event logs.
Microsoft SQL 2000
•

For a local directory path, use C:\Program
Files\Microsoft SQL Server\Mssql\Log

•

For a remote directory path, use \\SQL IP
address\c$\Program Files\Microsoft SQL
Server\Mssql\Log

Microsoft SQL 2005
•

For a local directory path, use c:\Program
Files\Microsoft SQL
Server\MSSQL.1\MSSQL\LOG\

•

For a remote directory path, use \\SQL IP
address\c$\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\LOG\

Microsoft SQL 2008
•

For a local directory path, use C:\Program
Files\Microsoft SQL
Server\MSSQL10.MSSQLSERVER\MSSQL\Log\

•

For a remote directory path, use \\SQL IP
address\c$\Program Files\Microsoft SQL
Server\MSSQL10.MSSQLSERVER\MSSQL\Log\

Microsoft SQL 2008R2

Adding multiple log
sources

•

For a local directory path, use C:\Program
Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log

•

For a remote directory path, use \\SQL IP
address\c$\Program Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log

Log File Name

The name of the file that contains the SQL error log.

File Monitor Policy

•

Notification-based (local) uses the Windows file system
notifications to detect changes to your event log.

•

Polling-based (remote) monitors changes to remote files
and directories. The agent polls the remote event log and
compares the file to the last polling interval. If the event log
contains new events, the event log is retrieved.

You can add multiple log sources at one time to QRadar. The log sources must
share a common configuration protocol and be associated with the same
WinCollect agent.
You can upload a text file that contains a list of IP addresses or host names, run a
query against a domain controller to get a list of hosts, or manually input a list of IP

IBM Security QRadar WinCollect User Guide

Adding multiple log sources

39

addresses or host names by typing them in one at a time.
Depending on the number of WinCollect log sources that you add at one time, it
can time for the WinCollect agent to access and collect all Windows events from
the log source list.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the WinCollect icon.
Step 4 Select the WinCollect agent, and click Log Sources.
Step 5 From the Bulk Actions menu, select Bulk Add.
Step 6 Configure values for your log sources.
Step 7 Select one of the following methods to bulk import log sources:

•

Select the File Upload tab and then select a text file IP addresses or host
names of log sources that you want to add. The maximum number of log
sources you can add is 500.
The text file must contain one IP address or host name per line. Extra
characters after an IP address or host names longer than 255 characters result
in an error. As a result a log source from the host list might not be added.

•

Select the Domain Controller tab and then type the IP address and full domain
name for the domain controller. To search a domain, you must add the domain,
user name, and password for the log source before you poll the domain for
hosts to add.

•

Select the Manual tab and then type an IP address or host name to add to the
host list. Click Add Host.

Step 8 Click Save.
Step 9 Click Continue.

The log sources are added to your WinCollect agent.

IBM Security QRadar WinCollect User Guide

7

WINCOLLECT PLUG-IN
REQUIREMENTS

Some log sources require a WinCollect plug-in to support communication between
your WinCollect agent and the Microsoft Windows servers. Each plug-in has a
unique set of requirements and instructions.
All plug-ins are available for download from the IBM support website
(https://www.ibm.com/support).
WinCollect plug-ins support the following server versions:
Table D-1 Supported server versions for WinCollect plug-ins

Plug-in

Supported servers

Microsoft DHCP

Microsoft DHCP Server 2003
Microsoft DHCP Server 2008
Microsoft DHCP Server 2012

Microsoft IAS

Windows 2003 operating systems with Microsoft IAS
Server 2003 enabled
Windows 2008 operating systems with Microsoft
Network Policy Server 2008 enabled
Windows 2012 operating systems with Microsoft
Network Policy Server 2012 enabled

Microsoft ISA

Microsoft ISA Server 2004
Microsoft ISA Server 2006
Microsoft Forefront Threat Management Gateway
2010

Microsoft IIS

Microsoft IIS Server 6.0
Microsoft IIS Server 7.0
Microsoft IIS Server 7.5
Microsoft IIS Server 8.0

Microsoft SQL

Microsoft SQL Server 2000
Microsoft SQL Server 2003
Microsoft SQL Server 2008
Microsoft SQL Server 2008R2

IBM Security QRadar WinCollect User Guide

42

WINCOLLECT PLUG-IN REQUIREMENTS

Microsoft DHCP
plug-in
requirements

WinCollect agents support local collection and remote polling for Microsoft DHCP
Server installations.
To remotely poll for Microsoft DHCP Server events, you must provide administrator
credentials or domain administrator credentials. If your network policy restricts the
use of administrator credentials, you can install a WinCollect agent on the same
host as your Microsoft DHCP Server. Local installations of WinCollect do not
require special credentials to forward DHCP events to QRadar.
The DHCP event logs that are monitored by WinCollect are defined by the
directory path you specify in your WinCollect DHCP log source.
WinCollect evaluates the root log directory folder to automatically collect new
DHCP events that are written to the event log. As described in the following table,
DHCP event logs start with DHCP, contain a three-character day of the week
abbreviation, and end with .log. DHCP log files in the root log directory that match
either an IPv4 or IPv6 DHCP log format is monitored for new events by the
WinCollect agent.
Table D-2 Example log format for Microsoft DHCP events

Log type

Example log file format

IPv4

DhcpSrvLog-Mon.log

IPv6

DhcpV6SrvLog-Wed.log

Log files that do not match the DHCP event log format are not parsed or forwarded
to QRadar.
Enabling DHCP event
logs on your
Microsoft Windows
Server

To write DHCP events to a file for WinCollect, you must enable DHCP event logs
on your Microsoft Windows Server.
Procedure

Step 1 Log in to your Microsoft Windows Server.
Step 2 Click Control Panel > Administrative Tools > DHCP.
Step 3 Choose one of the following options:

•

Windows Server 2003 - Right-click on your DHCP server and select
Properties.

•

Microsoft Server 2008R2 and above - Right-click on IPv4 or IPv6 and select
Properties.

Step 4 Click the General tab.
Step 5 Click Enable DHCP Audit Logging.
Step 6 Click Apply.
Step 7 Click OK.

IBM Security QRadar WinCollect User Guide

Microsoft IAS and NPS plug-in requirements

43

Windows 2008R2 Servers use DHCP logs that are enabled independently. You
might be required to repeat this procedure to enable both IPv4 and IPv6 audit logs.

Microsoft IAS and
NPS plug-in
requirements

The Microsoft Internet Authentication Service (IAS) plug-in for WinCollect forwards
RADIUS and authentication, authorization, and accounting (AAA) events from
Microsoft IAS or Network Policy (NPS) Servers to IBM Security QRadar.

Configuring the
Microsoft IAS plug-in
for WinCollect

WinCollect agents support local event collection and remotely poll for Microsoft
IAS and NPS events that log to a file.
To configure a WinCollect plug-in for Microsoft IAS, do these steps:
1 On your Microsoft IAS or NPS server, configure the system to generate W3C event

logs.
2 On your QRadar Console, install the WinCollect plug-in for the Microsoft IAS

protocol.
3 On your QRadar Console, configure a WinCollect log source to collect event logs.
4 On your QRadar Console, verify that the events are forwarded from your

WinCollect agent.
5 If you do not receive events or status messages, verify that the WinCollect agent

can communicate by either TCP or UDP on port 514 to the QRadar Console or
QRadar Event Collector.
Microsoft IAS or NPS
server log formats

Microsoft IAS and NPS installations write RADIUS and authentication events to a
common log directory.
To collect these events with WinCollect, you must configure Microsoft IAS or
Microsoft NPS to write an event log file to a directory.
WinCollect supports the following event log formats:

Microsoft IAS
directory structure
for event collection

•

Data Transformation Service (DTS)

•

Open Database Connectivity (ODBC)

•

Internet Authentication Service (IAS)

The event logs that are monitored by WinCollect are defined by the configuration
of the root directory in your log source.
When you specify a root log directory, you must point the WinCollect agent to the
folder that contains Microsoft ISA or NPS events. The root log directory does not
recursively search sub-directories for event files.
To increase performance you can create a sub folder for your IAS and NPS event
logs. For example, you can create a directory similar to the following:
\Windows\System32\Logfiles\NPS. When you create a specific event folder
IBM Security QRadar WinCollect User Guide

44

WINCOLLECT PLUG-IN REQUIREMENTS

the agent does not have to evaluate a large number of files to locate your event
logs.
If your system generates large amounts of IAS or NPS events, you can configure
your Windows system to create a new event log at daily intervals. Creating new
logs ensures that the agent does not have to search large logs for new events.

Microsoft ISA
plug-in
requirements

The WinCollect plug-in for Microsoft Internet Security and Acceleration (ISA)
forwards network proxy and firewall events from Microsoft ISA or Microsoft
Forefront Threat Management Gateway (TMG) servers to IBM Security QRadar.

Configuring the
Microsoft ISA plug-in

WinCollect agents support local event collection and remotely poll for Microsoft
ISA and TMG events that log to a file.
To configure a WinCollect plug-in for Microsoft ISA, do these steps:
1 On your Microsoft ISA or TMG server, configure the system to generate W3C

event logs.
2 On your QRadar Console, install the WinCollect plug-in for the Microsoft ISA

protocol.
3 On your QRadar Console, configure a WinCollect log source to collect event logs.
4 On your QRadar Console, verify that the events are forwarded from your

WinCollect agent.
5 If you do not receive events or status messages, verify that the WinCollect agent

can communicate by either TCP or UDP on port 514 to the QRadar Console or
QRadar Event Collector.

IBM Security QRadar WinCollect User Guide

Microsoft ISA plug-in requirements

Supported Microsoft
ISA or TMG server
log formats

45

Microsoft ISA and Forefront Threat Management Gateway installations create
individual firewall and web proxy event logs in a common log directory. To collect
these events with WinCollect, you must configure your Microsoft ISA or Microsoft
TMG to write event logs to a log directory.
WinCollect supports the following event log formats:
•

Web proxy logs in WC3 format (w3c_web)

•

Microsoft firewall service logs in WC3 format (w3c_fws)

•

Web Proxy logs in ISA format (isa_web)

•

Microsoft firewall service logs in ISA format (isa_fws)

The W3C event format is the preferred event log format. The W3C format contains
a standard header with the version information and all of the fields that are
expected in the event payload. You can customize the W3C event format for the
firewall service log and the web proxy log to include or exclude fields from the
event logs.
You can use the default W3C format fields. If the W3C format is customized, the
following fields are required to properly categorize events:
Table D-1 W3C format required fields

Required field

Description

Client IP (c-ip)

Source IP address

Action

Action that is taken by the firewall

Destination IP (r-ip)

Destination IP address

Protocol (cs-protocol)

Application protocol name, for example,
HTTP or FTP

Client user name (cs-username)

User account that made the data request of
the firewall service

Client user name (username)

User account that made the data request of
the web proxy service

IBM Security QRadar WinCollect User Guide

46

WINCOLLECT PLUG-IN REQUIREMENTS

Microsoft ISA
directory structure
for event collection

File Forwarder
plug-in
requirements

The event logs that are monitored by WinCollect are defined by the configuration
of the root directory in your log source.
WinCollect evaluates the directory folder and recursively searches the subfolders
of the root log directory to determine when new events are written to the event log.
By default, the WinCollect plug-in polls the root log directory for updated event logs
every five seconds.

With the WinCollect plug-in for File Forwarder, WinCollect agents can collect and
forward event logs for Windows appliances or software.
Use the plug-in to configure a root directory that the WinCollect agent can monitor
for Windows-based event log files.
After you configure your device, you can map your File Forwarder to a syslog
destination. WinCollect evaluates the root log directory to determine when file
changes occur.
The log files that are read by the plug-in must be text-based, single-line events.
Multi-line events are not supported. The File Forwarder plug-in requires a
Universal DSM to parse and categorize events.

Microsoft IIS
plug-in
requirements

With the WinCollect plug-in for Microsoft Internet Information Server (IIS),
WinCollect agents can parse local event logs from your Microsoft IIS server and
forward IIS events to IBM Security QRadar.
To collect Microsoft IIS events, a WinCollect agent must be installed on your
Microsoft IIS server. Remote polling for Microsoft IIS events is not supported by the
WinCollect plug-in for Microsoft IIS.
Microsoft Internet Information Services (IIS) includes a range of administrative
features for website management. You can monitor attempts to access your
websites to determine whether attempts were made to read or write to your files.
You can create a single Microsoft IIS log source to record events from your entire
website directory or individual websites.
The Microsoft IIS device plug-in can read and forward events for the following logs:
•

Website (W3C) logs

•

File Transfer Protocol (FTP) logs

•

Simple Mail Transfer Protocol (SMTP) logs

•

Network News Transfer Protocol (NNTP) logs

The WinCollect plug-in can monitor W3C, IIS, and NCSA formatted event logs.
However, the IIS and NCSA event formats do not contain as much event
information in their event payloads as the W3C event format. To collect the
maximum information that is available, you can configure your Microsoft IIS server
IBM Security QRadar WinCollect User Guide

Microsoft SQL Server plug-in

47

to write events in W3C format. WinCollect can collect both ASCII and UTF-8
encoded event log files.
Microsoft IIS
directory structure
for event collection

WinCollect can monitor your entire IIS directory structure.
The sites and event logs that are monitored by WinCollect are defined by the
configuration of the root directory in your log source. When you specify a root log
directory, WinCollect evaluates the directory folder and all subfolders to determine
when new events are written to the event log. When you monitor the IIS root
website, WinCollect can use one log source to collect all of your IIS server events.
If you want to monitor individual websites, you must configure a log source for
each website in your directory. You can configure the log source for the individual
website to monitor the root log directory in your IIS directory structure.
By default, Microsoft IIS installations update event logs every 30 seconds.
Depending on the number of sites that you monitor, you might notice that your
WinCollect agent uses more resources during event log update intervals.

Microsoft SQL
Server plug-in

You can use the WinCollect plug-in for Microsoft SQL Server to parse event logs
from the Microsoft SQL Server and forward the event information to IBM Security
QRadar.
The error log is a standard text file that contains SQL Server information and error
messages.
WinCollect monitors the SQL error log for new events and forwards the event to
QRadar. The error log can provide meaningful information to help you to
troubleshoot issues or alert you to potential or existing problems. The error log
output includes the time and date that the message was logged, the source of the
message, and the description of the message. If an error occurs, the log contains
the error message number and a description. Microsoft SQL Server retains
backups of the last six error log files.
WinCollect can collect SQL error log events. To collect Microsoft SQL Server audit
and authentication events, you can configure the Microsoft SQL Server DSM. For
more information, see the IBM Security QRadar DSM Configuration Guide.
WinCollect agents support local collection and remote polling for Microsoft SQL
Server installations. To remotely poll for Microsoft SQL Server events, you must
provide administrator credentials or domain administrator credentials. If your
network policy restricts the use of administrator credentials, you can install a
WinCollect agent on the same host as your Microsoft SQL Server. Local
installations of WinCollect do not require special credentials to forward SQL events
to QRadar.

IBM Security QRadar WinCollect User Guide

8

XPATH QUERIES

An XPath query is a log source parameter that filters specific events when the
query communicates with a Windows 2008-based event log.
XPath queries use XML notation and are available in QRadar when you retrieve
events by using the WinCollect protocol. The most common method of creating an
XPath query is to use Microsoft Event Viewer to create a custom view. The custom
view that you create for specific events in Event Viewer can generate XPath
notations. You can then copy this generated XPath notation in your XPath query to
filter your incoming log source events for specific event data.
Note: To manually create your own XPath queries, you must be proficient with
XPath 1.0 and XPath queries.

Enabling remote
log management on
a Windows
operating system

Enables remote log management only when your log source is configured to
remotely poll other Windows systems.

Windows 2008

You can enable remote log management on Windows Server 2008 for XPath
queries.

Local system log sources that use XPath queries do not require a remote log
management firewall exception for locally collected events.

Procedure
Step 1 On your desktop, select Start > Control Panel.
Step 2 Click the Security icon.
Step 3 Click Allow a program through Windows Firewall.
Step 4 If prompted by User Account Control, click Continue.
Step 5 From the Exceptions tab, select Remote Event Log Management.
Step 6 Click OK.

IBM Security QRadar WinCollect User Guide

50

Windows 2008R2

You can enable remote log management on Windows Server 2008R2 for XPath
queries.
Procedure

Step 1 On your desktop, select Start > Control Panel.
Step 2 Click the Windows Firewall icon.
Step 3 From the menu, click Allow a program or feature through Windows Firewall.
Step 4 If prompted by User Account Control, click Continue.
Step 5 Click Change Settings.
Step 6 From the Allowed programs and features pane, select the Remote Event Log

Management check box.
This also selects a check box for a network type. Depending on your network, you
might need to correct or select additional network types.
Step 7 Click OK.

Windows 7

You can enable remote log management on Windows 7 for XPath queries.
Procedure

Step 1 On your desktop, select Start > Control Panel.
Step 2 Click the System and Security icon.
Step 3 From the Windows Firewall pane, click Allow a program through Windows

Firewall.
Step 4 If prompted by User Account Control, click Continue.
Step 5 Click Change Settings.
Step 6 From the Allowed programs and features pane, select the Remote Event Log

Management check box.
Depending on your network, you might need to correct or select additional network
types.
Step 7 Click OK.

IBM Security QRadar WinCollect User Guide

Creating a custom view

Creating a custom
view

51

Use the Microsoft Event Viewer to create custom views, which can filter events for
severity, source, category, keywords, or specific users.
WinCollect supports up to 10 selected event logs in the XPath query. Event IDs
that are suppressed do not contribute towards the limit.
WinCollect log sources can use XPath filters to capture specific events from your
logs. To create the XML markup for your XPath Query parameter, you must create
a custom view. You must log in as an administrator to use Microsoft Event Viewer.
XPath queries that use the WinCollect protocol the TimeCreated notation do not
support filtering of events by a time range. Filtering events by a time range can
lead to errors in collecting events.
Procedure

Step 1 On your desktop, select Start > Run.
Step 2 Type the following command:

Eventvwr.msc
Step 3 Click OK.
Step 4 If you are prompted, type the administrator password and press Enter.
Step 5 On the Action menu, select Create Custom View.

When you create a custom view, do not select a time range from the Logged list.
The Logged list includes the TimeCreated element, which is not supported in
XPath queries for the WinCollect protocol.
Step 6 In Event Level, select the check boxes for the severity of events that you want to

include in your custom view.
Step 7 Select an event source:
Step 8 Type the event IDs to filter from the event or log source.

Use commas to separate IDs. for example, the following list contains an individual
ID and a range: 4133, 4511-4522.
Step 9 From the Task Category list, select the categories to filter from the event or log

source.
Step 10 From the Keywords list, select the keywords to filter from the event or log source.
Step 11 Type the user name to filter from the event or log source.
Step 12 Type the computer or computers to filter from the event or log source.
Step 13 Click the XML tab.
Step 14 Copy and paste the XML to the XPath Query field of your WinCollect log source

configuration.
Note: If you specify an XPath query for your log source, only the events that are
specified in the query are retrieved by the WinCollect protocol and forwarded to

IBM Security QRadar WinCollect User Guide

52

QRadar. Check boxes that you select from the Standard Log Type or Event Type
are ignored by the log source configuration.
What to do next
Configure a log source with the XPath query.

Adding an XPath
log source

You can create a log source that includes the XPath query from the Event Viewer.
Procedure

Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the WinCollect icon.
Step 4 Click Agents.
Step 5 Select the WinCollect agent, and click Log Sources.
Step 6 Click Add.
Step 7 From the Log Source Type list, select Microsoft Windows Security Event Log.
Step 8 From the Protocol Configuration list, select WinCollect.
Step 9 Configure the parameters:

Table E-1 WinCollect log source parameters

Parameter

Description

Log Source Identifier

The IP address or host name of a remote Windows
operating system from which you want to collect
Windows-based events. The log source identifier must
be unique for the log source type.
The Log Source Identifier field in a WinCollect log
source is used for polling events from remote sources.
This field is used in the same manner as the
RemotMachine field in the Adaptive Log Exporter.

Local System

Disables remote collection of events for the log source.
The log source uses local system credentials to collect
and forward events to the QRadar.

Domain

The Windows domain that includes the Windows log
source. This parameter is optional.
The following examples use the correct syntax: LAB1,
server1.mydomain.com
The following example uses incorrect
syntax:\\mydomain.com

Standard Log Types

Clear all of the log type check boxes.
The XPath query defines the log types for the log
source.

Forwarded Events

Clear this check box.

IBM Security QRadar WinCollect User Guide

Adding an XPath log source

53

Table E-1 WinCollect log source parameters (continued)

Parameter

Description

Event Types

Clear this check box. The XPath query defines the log
types for the log source.

Enable Active Directory
Lookups

If the WinCollect agent is in the same domain as the
domain controller that is responsible for the Active
Directory lookup, you can select this check and leave
the override domain and DNS parameters blank.

Override Domain Controller The IP address or host name of the domain controller
Name
that is responsible for the Active Directory lookup.
Required when the domain controller that is responsible
for Active Directory lookup is outside of the domain of
the WinCollect agent.
Override DNS Domain
Name

The fully qualified domain name of the DNS server that
is responsible for the Active Directory lookup.
For example, the following domain name uses the
correct syntax: wincollect.com.

WinCollect Agent

The WinCollect agent to manage this log source.

Remote Machine Poll
Interval (ms)

The number of milliseconds between queries to the
remote Windows host to poll for new events. The higher
the expected event rate, the more frequently the
WinCollect agent needs to poll remote hosts for events.

XPath Query

•

Use 7500 when the WinCollect agent collects events
from a large number of remote computers that have
a low event per second rate, for example, 100
remote computers that provide 10 events per second
or less.

•

Use 3500 when the WinCollect agent collects events
from a large number of remote computers that have
a low event per second rate, for example, 50 remote
computers that provide 20 events per second or
less.

•

Use 1000 when the WinCollect agent collects events
from a small number of remote computers that have
a high event per second rate, for example, 10
remote computers that provide 100 events per
second or less.

The XPath query that you defined in Microsoft Event
Viewer.
To collect information by using an XPath query, you
might be required to enable Remote Event Log
Management on Windows 2008.
Note: Microsoft Server 2003 does not support XPath
Queries for events.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.
IBM Security QRadar WinCollect User Guide

54

XPath query
examples
Example: Monitor
events for a specific
user

Use these XPath examples as a reference when you create XPath queries. For
more information about XPath queries, see your Microsoft documentation.
In this example, the query retrieves events from all Windows event logs for the
guest user.










Credential logon for
Windows 2008

In this example, the query retrieves specific event IDs from the security log for
Information-level events that are associated with the account authentication in
Windows 2008.





Table E-1 Event IDs in this example

ID

Description

4776

The domain controller attempted to validate
credentials for an account.

4777

The domain controller failed to validate credentials
for an account.

In this example, the query examines event IDs to retrieve specific events for a user
account that is created on a fictional computer that contains a user password
database.
IBM Security QRadar WinCollect User Guide

XPath query examples

55






Table E-2 Event IDs in this example

ID

Description

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change the password of an
account.

4724

An attempt was made to reset password of an
account.

4725

A user account was disabled.

4726

A user account was deleted.

4741

A computer account was created.

4742

A computer account was changed.

4743

A computer account was deleted.

IBM Security QRadar WinCollect User Guide

A

TROUBLESHOOTING A WINCOLLECT
AGENT
Log files created by the WinCollect agent during configuration or installation
contain error messages and other valuble information. To determine the root cause
of your error, review the error logs.
The WinCollect agent creates an installation log file during the installation process
for both standard and command-line installations.
The Status parameter might indicate that there is an issue with a WinCollect
agent. The Status parameter is located in the WinCollect window in IBM Security
QRadar SIEM. The WinCollect agent might report the following statuses:
•

Running indicates that the WinCollect agent is active on the Windows host.

•

Stopped indicates that the WinCollect agent is stopped. If the WinCollect
service is stopped, events from the log sources that are managed by the agent
are not forwarded to the QRadar Console.

•

Unavailable indicates that the WinCollect service that reports on the status of
the WinCollect agent is stopped or restarted. The services can no longer report
the agent status.

•

No Communication from Agent indicates that the WinCollect agent has not
established communication with the QRadar Console. If you manually added
the WinCollect agent, verify that the Host Name parameter is correct. Also
verify that firewalls in your deployment are not blocking communication
between the WinCollect agent and the Event Collector or QRadar Console.

You can also view the installation log for error information about your WinCollect
agent installation.
Procedure
Step 1 Log in to the host of your WinCollect agent.
Step 1 On the desktop, select Start > Run.
Step 2 Type the following:

%TEMP%
Step 3 Click OK.

The Windows Explorer displays the temporary directory.
Step 4 Open the WinCollect installation log from the temporary directory.

Setup Log  <#00X>.txt
Step 5 Review the log file to determine the cause of the installation failure.

IBM Security QRadar WinCollect User Guide

58

Installation log
examples

Example: Missing
authorization or
Console IP address

Example: Installation
stopped by user

The installation log captures the install process for WinCollect and includes
information about the installation failure. The information contained in the setup log
file is required to troubleshoot WinCollect installations with Customer Support.
The following text shows the error message generated when the AUTH_TOKEN or
CONFIG_CONSOLE_ADDRESS is missing from the command-line installation:
ERROR: Installation was aborted because only one of /AUTH_TOKEN
and /CONFIG_CONSOLE_ADDRESS were specified. Both must be
specified (for remote configuration management) or neither
specified (for stand-alone operation)

The following text shows the message generated when a standard installation is
stopped by the user:
Message box (Yes/No):
Setup is not complete. If you exit now, the program will not be
installed.
You may run Setup again at another time to complete the
installation.
Exit Setup?

Example: Installation
file in use error

The WinCollect agent cannot be installed while the WinCollect service is running.
To avoid an installation issue, stop the WinCollect service before you attempt to
reinstall the WinCollect agent on your host. The following text displays the
message error message when an installation file is in use:
Defaulting to Abort for suppressed message box
(Abort/Retry/Ignore):
C:\Program Files (x86)\WinCollect\bin\WinCollect.exe
An error occurred while trying to replace the existing file:
DeleteFile failed; code 5.
Access is denied.
Click Retry to try again, Ignore to skip this file (not
recommended), or Abort to cancel installation.

IBM Security QRadar WinCollect User Guide

Troubleshooting device configuration issues

Troubleshooting
device
configuration
issues

59

The WinCollect agent creates a device log that stores configuration information
and warnings about log sources that are configured for each WinCollect agent.
Each time the WinCollect service is restarted or the date changes, a new log is
created on the Windows host for the WinCollect agent. All device logs contain time
stamps to help you find the most recent log file.
The device log captures log source configuration information for WinCollect and
includes information about log source issues.
Procedure

Step 1 Log in to the host of your WinCollect agent.
Step 2 Navigate to the following directory on the WinCollect host:

C:\Program Files\IBM\WinCollect\logs\

On 64-bit operating systems, this file is the following location:
C:\Program Files (x86)\WinCollect\IBM\logs\
Step 3 Open the following file:

WinCollect_Device.date identifier.txt

Device Polling
Overdue

A warning message that indicates that device polling is overdue occurs when the
WinCollect agent is waiting to remotely collect events from a log source that is
managed by the WinCollect agent, but the device polling is in the queue.
This warning message can occur when you add or edit a large number of remotely
collected log sources for a WinCollect agent with a large number of remotely
collected log sources. Each time that the log source is edited, the service is
restarted on the WinCollect agent and each log source is polled for updated
events. Log sources near the bottom of the list can be in queue waiting to be
polled. If log sources are waiting to be polled, the following message is displayed
in the device log:
WARN Device.WindowsLog.EventLogMonitor.OnTimerExpired : Event
log 10.100.100.10 [\\10.100.100.10:Application] is seriously
overdue to be polled (interval 500 millisec, overdue = 45005
millisec).

This message indicates that the WinCollect agent is waiting to poll the remote log
source for events.

IBM Security QRadar WinCollect User Guide

B

NOTICES AND TRADEMARKS

What’s in this appendix:
•

Notices

•

Trademarks

This section describes some important notices, trademarks, and compliance
information.

Notices

This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information,
contact the IBM Intellectual Property Department in your country or send inquiries,
in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
IBM Security QRadar WinCollect User Guide

62

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express
or implied warranties in certain transactions, therefore, this statement may not
apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between independently created programs
and other programs (including this one) and (ii) the mutual use of the information
which has been exchanged, should contact:
IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM
has not tested those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the
IBM Security QRadar WinCollect User Guide

Trademarks

63

capabilities of non-IBM products should be addressed to the suppliers of those
products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual
business enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color illustrations
may not appear.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of other companies:
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

IBM Security QRadar WinCollect User Guide

INDEX

A

L

agent
adding 21
deleting 23
disabling 22
enabling 22
agent installations 7
audience 1
authorized services 12
authorizing WinCollect 12

log source
adding 21, 29
deleting 23
enabling/disabling 22
managing 25, 29

M
Microsoft IIS
overview 43, 44
Microsoft IIS plug-in 43, 44, 46
Microsoft SQL plug-in 47

B
bulk actions
adding 38

P
plug-ins
file forwarder 46
Microsoft IIS 43, 44, 46
Microsoft SQL 47

C
collection type
local 7
remote 7
command line 11
credentials 26

R
remote polling credentials 26
remote polling interval 31, 53

D
deployment 7
destinations
adding 23
deleting 24
device log examples 59

S
schedules
deleting 25
security practices statement 1

E

T

EPS 8

tested events per second 8
troubleshooting 59
device polling overdue 59

F
file forwarder plug-in 46

W
WinCollect
adding multiple sources 38
WinCollect credentials 26
WinCollect log source
adding 29

H
host requirements 8

I
installation
log examples 58
installing
command-line installation 11
Internet Information Server (IIS) 43, 44, 46

X
XPath
creating custom views 51
remote event log management 49

IBM Security QRadar WinCollect User Guide

66

INDEX

XPath examples 54

IBM Security QRadar WinCollect User Guide



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Author                          : IBM
Create Date                     : 2014:03:17 14:56:46Z
Modify Date                     : 2014:03:17 15:00:51-03:00
Subject                         : ALE Replacement
Language                        : en
XMP Toolkit                     : Adobe XMP Core 5.2-c001 63.139439, 2010/09/27-13:37:26
Creator Tool                    : FrameMaker 10.0.2
Metadata Date                   : 2014:03:17 15:00:51-03:00
Format                          : application/pdf
Description                     : ALE Replacement
Title                           : IBM Security QRadar WinCollect User Guide
Creator                         : IBM
Producer                        : Acrobat Distiller 10.1.8 (Windows)
Document ID                     : uuid:55e273f7-01a3-40cc-b98e-78cdafe53af6
Instance ID                     : uuid:9268e726-aac9-444f-845f-49b76c736bbf
Page Mode                       : UseOutlines
Page Count                      : 72
EXIF Metadata provided by EXIF.tools

Navigation menu