IBM Support

WinCollect: Missing WinCollect events that are being received by tcpdump

Troubleshooting


Problem

When I search in QRadar, I do not see data returned in the user interface when I search for my log source in the Log Activity. What might cause this issue?

Cause

In QRadar, there are two log sources for WinCollect events:

1. The log source you create or have automatically created for you by the agent during installation for your Windows events.
2. An internal WinCollect DSM that parses the LEEF Syslog events for status messages from the WinCollect agent. This log source is named, WinCollect DSM - <Log Source Identifier>. 

If the parsing order is incorrect in QRadar, the Syslog events that contain your Windows data might get assigned to the internal WinCollect DSM. When this parsing order issue occurs, searches for Log Source Type [Indexed] for the log source do not return data as expected; however, you can view the events coming in from the agent using tcpdump. 

Resolving The Problem

Procedure
If you are not seeing events in the WinCollect agent Log Source, it could be a Parsing Order issue on the QRadar appliance that receives the Windows events from the agent.  Parsing order issues can happen if another Log Source that can receive these type of events is configured either accidentally or from log source auto discovery. Administrators who cannot find their events, but have already verified they are received using tcpdump can check the Parsing Order to insure these events are not getting directed to the wrong Log Source. The correct parsing order is to have the WindowsAuthServer above the WinCollect DSM as shows in the screen capture.

  1. Open the Admin settings:   
    a.    In IBM Security QRadar V7.3.1, click the navigation menu ☰ , and then click Admin to open the Admin tab.
    b.    In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
     
  2. Click Log Sources.
    image-20181015172631-4
    Figure 1: Location of the Log Sources icon.
     
  3. Select the WinCollect log source from the user interface with your events and click Parsing Order.
    image-20181015173715-5
    Figure 2: Opening the parsing order from the Log Sources screen allows you to filter to the specific Event Collector receiving your events.
     
  4. If the parsing order list displays both a Log Source Type for WindowsAuthServer and WinCollect, change the parsing order so that WindowsAuthServer is first.
    image-20181015171532-1
    Figure 3: In this example Desktop is the Microsoft Security Event Log Source where the Log Source Type is WindowsAuthServer and should be listed first in the parsing order. Any values for WinCollect DSM - <Log Source Identifier> should be lower in the parsing order.
  5. Click Save.

    Results
    The parsing order is updated and events that were being assigned to the internal WinCollect DSM should be assigned properly. Administrators can create a Log Activity tab search for "Log Source Type [Indexed]" and select the log source to verify the data is coming in from the remote agent. Repeat this procedure for any log sources where you have verified the events are received, but do not display under the assigned log source correctly.


    Reference information
    For instructions on how to use the tcpdump utility in QRadar, see: Using the command-line to troubleshoot a syslog event source.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 March 2020

UID

ibm10733767