IBM QRadar WinCollect User Guide V7.3.1 IBM Note Before using this information and the product that it supports, read the information in “Notices” on page 99. Product information © Copyright International Business Machines Corporation 2011, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this WinCollect User Guide...........................................................................v Chapter 1. WinCollect overview............................................................................. 1 What's new in WinCollect............................................................................................................................ 4 MSEVEN6 protocol....................................................................................................................................... 5 Chapter 2. Installation prerequisites for WinCollect............................................... 7 Communication between WinCollect agents and QRadar..........................................................................8 Enabling remote log management on Windows.................................................................................... 9 Hardware and software requirements for the WinCollect host................................................................10 Prerequisites for upgrading WinCollect agents.........................................................................................12 Chapter 3. WinCollect installations...................................................................... 15 Managed WinCollect installations............................................................................................................. 15 Installing and upgrading the WinCollect application on QRadar appliances..................................... 15 Creating an authentication token for WinCollect agents.....................................................................17 Adding multiple destinations to WinCollect agents............................................................................ 18 Migrating WinCollect agents after a QRadar hardware upgrade.........................................................18 Migrating from Adaptive Log Exporter to WinCollect.......................................................................... 19 Stand-alone WinCollect Installations....................................................................................................... 19 WinCollect Configuration Console overview........................................................................................20 Installing the configuration console.................................................................................................... 21 Silently installing, upgrading, and uninstalling WinCollect software..................................................22 Setting an XPath parameter during automated installation................................................................22 Installing the WinCollect agent on a Windows host................................................................................. 23 Installing a WinCollect agent from the command prompt....................................................................... 27 Uninstalling a WinCollect agent from the command prompt................................................................... 32 Uninstalling a WinCollect agent from the Control Panel...........................................................................33 Chapter 4. Configuring WinCollect agents after installation...................................35 Configuring managed WinCollect agents.................................................................................................. 35 Manually adding a WinCollect agent ...................................................................................................35 Deleting a WinCollect agent.................................................................................................................36 WinCollect destinations....................................................................................................................... 37 Adding custom entries to WinCollect status messages...................................................................... 40 Forwarded Events Identifier................................................................................................................ 40 Configuring stand-alone WinCollect agents with the Configuration Console.......................................... 41 Creating a WinCollect credential..........................................................................................................41 Adding a destination to the WinCollect Configuration Console.......................................................... 41 Configuring a destination with TLS in the WinCollect Configuration Console.................................... 42 Adding a device to the WinCollect Configuration Console.................................................................. 42 Sending encrypted events to QRadar.................................................................................................. 43 Increasing UDP payload size................................................................................................................43 Include milliseconds in Event Log timestamp.....................................................................................44 Collecting local Windows logs..............................................................................................................44 Collecting remote Windows logs..........................................................................................................44 Changing configuration with templates in a stand-alone deployment...............................................45 Restricted policies for domain controllers ............................................................................................... 49 Changing WinCollect configuration from the command line...............................................................50 Local installations with no remote polling...........................................................................................51 iii Configuring access to the registry for remote polling......................................................................... 52 Windows event subscriptions for WinCollect agents.......................................................................... 53 Chapter 5. Log sources for WinCollect agents....................................................... 57 Windows event logs................................................................................................................................... 57 Windows event log filtering..................................................................................................................57 Windows log source parameters......................................................................................................... 58 Applications and Services logs............................................................................................................ 64 Microsoft DHCP log source........................................................................................................................ 67 Microsoft Exchange Server log source...................................................................................................... 68 DNS debug log source configuration options............................................................................................69 Enabling DNS debugging on Windows Server..................................................................................... 70 Collecting DNS Analytic Logs by using XPath............................................................................................71 File Forwarder log source.......................................................................................................................... 71 Microsoft IAS log source............................................................................................................................74 WinCollect Microsoft IIS log source configuration options...................................................................... 75 Microsoft ISA log source............................................................................................................................77 Juniper Steel-Belted Radius log source configuration options................................................................ 79 Microsoft SQL log source........................................................................................................................... 79 NetApp Data ONTAP log source................................................................................................................ 81 Configuring a TLS log source..................................................................................................................... 82 Creating a TLS log source destination for managed agents................................................................86 Adding a log source to a WinCollect agent................................................................................................87 Bulk log sources for remote event collection............................................................................................87 Adding log sources in bulk for remote collection...............................................................................