Today, I just wanted to highlight and hopefully bring clarity to one of our most requested enhancement features: the ability to manually configure the polling start time for Windows Events.

Everyone on the WinCollect team is well aware that the range and breadth of both our use cases and users can span from users wanting a simple service just there to forward a single log source to power-users who push the boundaries of the application beyond what we even envisioned, So it wouldn’t surprise us to know if some of our more knowledgeable users have already been using this feature since release but many will be surprised to hear that this feature actually already exists in WinCollect just by adding a XPath source. What do I mean by that? Well to begin here are some knowledge articles on Xpaths and their use in WinCollect to give you an idea of where I’m going with this:

XPaths in WinCollect 10
How to use Microsoft Event Viewer to create an XPath Query
How to Use XPath Queries with WinCollect to Suppress Specific Events

Hopefully that gives you sense of the power of XPaths which is certainly not only limited to the following specific use case that I’m going to use as an example.

A forensic investigator would like to re-send 2 day old system events to their QRadar machine

To accomplish this result the forensic investigator can create an XPath like so:

then add that source and send to a destination like you normally would and you’re done!

To confirm that it is done working, you should check to see log lines similar to the one below in the Log Viewer (the source name will depend on the name used, for our example we used the name ‘XPath’ and the DEBUG line will only be visible with DEBUG log level turned on)

DEBUG Device.Source.Local.XPath : no events
INFO Device.Source.Worker.2 Done working on Source//Local//XPath

You would then get the events expected in QRadar just like running it in the event viewer. For this particular use case, the XPath source could then be removed after all of the events are sent and received in QRadar.

Here is an example of what it would look like in the UI:

Are there any other tips and tricks or other amazing things you’ve done with XPaths in WinCollect? The team would love to hear from our users. Let us know in the comments.

The post Configurable Polling Start Time For Windows Events appeared first on 101.

In this blog post I’m going to show you how to install a WinCollect agent using both the installer UI and command line to use TLS syslog to send events to your QRadar deployment. In this example, I’m going to use a self-signed syslog TLS certificate that is on one of my QRadar destinations I have in the lab. If you have your own CA signed or publicly signed certificate this example will still work.

To begin this process, we’re going to need to start with a machine that already has WinCollect installed. By default, a quick install of WinCollect will have a destination called “QRadar” defined. If you use the WinCollect configuration UI you can go to the Destinations section. Here we will need to change our destination to use TLS and copy in the certificate. To get the certificate, we need to go over to our QRadar destination and view the contents of the certificate. To do that we can use:

cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert

Now we need to copy the full details of the certificate including the “Begin” and “End” and bring that it to the “TLS certificate” field in the WinCollect console UI. When we click save and then apply the changes to the agent, the agent will convert the certificate over. This will also allow us to use it in a script so that we can make installation of the agents using TLS easier.

Here is an example of what the converted string will look like in your AgentConfig file:

Now that we have this information, we can then start to piece together our installation script that will be used to install our new agents.

I’ve attached an installation script that you can use to help craft your own for your QRadar deployment. Looking at the example script replace the contents under the “Certificate” field with your converted certificate for your destination. Then you will also need to change the IP address to the hostname (due to how SSL/TLS validation works this will need to match what is in the certificate) of your QRadar appliance that is being used for your WinCollect destination in both the “Address” fields in the example.

Also note, that in this example I’m just collecting Application, System and Security events. If you wanted to collect event from other channels or log files you can add them in to your script at this time as well. You can refer to our Github page where we have some of these parameters that you can add to your script.

Now that we have the file ready, we can install the agent using two methods. The first is using the agent installation wizard. Here you will select the “Advanced” install and then select the advanced installation option 1 to “Specify a configuration script file to execute immediately after the Agent is installed.” Browse to the path to where you have your script, and then click next to finish in the installation. The second option will be through the command line. Start an elevated command prompt window and then run the following command:

msiexec.exe /l*v WC_install.log /qb /i WinCollect-10.1.0-39.x64.msi INSTALLDIR="C:\Program Files\IBM\WinCollect\" WC_SCRIPT="C:\Users\testuser\Desktop\update_AgentwithTLSSyslog.xml"

Remember to change the path to where your script file is located on your system.

After running either of these two options you now have configured your agent to use TLS syslog to send your events to your QRadar deployment.

If you liked this and would like to see some other examples, please reach out and let us know.

The post Agent Install with TLS Destination appeared first on 101.

This blog is going to show you how to setup a secondary destination in Stand Alone WinCollect.  A secondary destination can be used as a fail over site when the primary destination goes down.  If the Agent is unable to reach the primary destination after a per-determined time (fail over), the Agent will then send events to the secondary destination.  The Agent will continue to check the primary connection and switch back when it’s available.

Use Case

The customer is replacing an existing QRadar event collector over an extended time frame and would like to send events to another collector while this is occurring.

The customer would like to setup a fail over destination to provide redundancy in the deployment as well as address a possible site failure.

Pre-requisites

WinCollect 7.3.0

Fresh Install

Sample Cmd Line Install which will collect Security, Application and System Event logs configured with a secondary destination

c:\wincollect-7.3.0-24.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Secondary=172.18.X.X&Component1.Failover=1800&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.TimestampFormat=Milliseconds"""

Required Customer Modifications

STATUSSERVER=172.18.X.X
This is where the Agent status messages are going to be sent to (You don’t need this if you don’t want the status messages)
Component1.Dest.Hostname=172.18.X.X
This is the IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example, the destination is going to use TCP over port 514 (Component1.Dest.Port=514&Component1.Dest.Protocol=TCP)

Component1.Secondary=172.18.X.X
This is the IP/Hostname of the Secondary Destination to receive events if the primary destination fails

Component1.Failover=1800
The number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.  The default is 30 minutes

Update Existing install using Template

Create Template

Create a template named service_DestinationManager.xml

<Service version="7.3.0.24" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
    <InstanceData>
      <Instance name="QRadar">
        <Module order="1" service_name="StoreAndForwardStage">
          <Environment>
            <Parameter value="1000000" name="QueueHighWaterMark" />
            <Parameter value="750000" name="QueueLowWaterMark" />
            <Parameter value="10" name="DataChunkPeriod" />
            <Parameter value="500000" name="DataProcessingPeriod" />
            <Parameter value="false" name="Schedule.Invert" />
            <Parameter value="true" name="Schedule.Enable" />
          </Environment>
        </Module>
        <Module order="2" service_name="SimpleEventThrottle">
          <Environment>
            <Parameter value="5000" name="EventThrottleInEPS" />
          </Environment>
        </Module>
        <Module order="3" service_name="SyslogHeaderStage">
          <Environment />
        </Module>
        <Module order="4" service_name="TCPSendStage">
          <Environment>
            <Parameter value="172.18.X.X" name="TargetAddress" />
            <Parameter value="172.18.X.X" name="Secondary" />
            <Parameter value="1800" name="Failover" />
            <Parameter value="514" name="TargetPort" />
          </Environment>
        </Module>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>

Required Customer Modifications

<Instance name=”QRadar”>

Make sure to change the name to match the name of the Destination that is being used in your deployment.

TargetAddress=172.18.X.X
This is the IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example, the destination is going to use TCP over port 514

Secondary=172.18.X.X
This is the IP/Hostname of the Secondary Destination to receive events if the primary destination fails

Failover=1800
The number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.  The default is 30 minutes

Deploy Template

Now that you have the template file you can push this out to any agent where WinCollect 7.3.0-24 is installed in stand-alone mode.

Copy service_DestinationManager.xml to the \WinCollect\patch folder

The WinCollect Agent will check the patch folder every 3-5s and will see the template file, add the contents into the Agent-Config.xml and then restart WinCollect. You will now see an additional patch_checkpoint folder and a new Agent-Config in the \WinCollect\config folder.

The post WinCollect – Secondary Destination appeared first on 101.

This blog is going to show you how to deploy an additional “plugin-in/service” in stand-alone mode without the need to install the patch installer on each server.

Templates

For some background on how templates work see the following blog Template Overview

Use Case

Customer would like to collect Windows DHCP Server logs in using WinCollect in stand-alone mode.  Also they would like to keep all the configuration generic so they don’t have to change it for each server they install.

Pre-requisites

WinCollect 7.2.9 P1 (Build 96)

Install Agent

Sample Cmd Line Install which will collect Security / Application and System Event logs

c:\wincollect-7.2.9-96.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.TimestampFormat=Milliseconds"""

Required Customer Modifications
STATUSSERVER=172.18.X.X
This is where the Agent status messages are going to be sent to (You don’t need this if you don’t want the status messages)
Component1.Dest.Hostname=172.18.X.X
This is IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example the destination is going to use TCP over port 514 (Component1.Dest.Port=514&Component1.Dest.Protocol=TCP)

Create Template with Payload Router and DHCP Service

NOTE: To get examples of what to use for the template, you will need to install the WinCollect Configuration Console via the patch installer. Recommend installing this on your laptop or on a test machine.  NOTE: If you want to use the Configuration Console you need .NET 3.5 installed.

Create DHCP log source in Configuration Console

Save and deploy the log source. Open the Agent-Config.xml and locate the DHCP service

<Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91">
    <InstanceData>
      <Instance enabled="true" name="LocalDHCP">
        <Environment>
          <Parameter value="Test" name="DeviceAddress" />
          <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory" />
          <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy" />
          <Parameter value="5000" name="ThrottleTimeout" />
          <Parameter value="Test" name="RemoteMachine" />
          <Parameter value="true" name="Local.System" />
          <Parameter value="0" name="Login.Handle" />
        </Environment>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>​

NOTE: Since we want to make the configuration generic I replaced the “Test” for DeviceAddress and RemoteMachine with %computername%. The Configuration Console won’t accept %computername% as a valid hostname.

We also need to tell the Agent where we want to send the events for this log source to. So we need to bind the Log Source name with the destination name, which is configured in the PayloadRouter service. In this example we can see routes for both the event log and DHCP collection.

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
    <Environment>
      <Parameter name="RouterThreads" value="3" />
      <Parameter name="QueueLowWaterMark" value="9975000" />
      <Parameter name="QueueHighWaterMark" value="10000000" />
      <Parameter name="StatisticsSweepPeriod" value="30" />
      <!-- Sample route config
			<Parameter name="AddRoute" value="{WindowsConfigName}{YourECNameGoesHere::TCP}"/>
			End Sample Route Config -->
      <Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
      <Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" />
    </Environment>
  </Service>

NOTE: In the Agent install command – Component1.LogSourceName=EventLogLocal, this is the name of the log source, and the name of the destination is Component1.Dest.Name=QRadar

We need to combine both services into a template file which in this instance we will name service_PayloadRouterDHCP.xml

Example:

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
		<Environment>
			<Parameter name="RouterThreads" value="3" />
			<Parameter name="QueueLowWaterMark" value="9975000" />
			<Parameter name="QueueHighWaterMark" value="10000000" />
			<Parameter name="StatisticsSweepPeriod" value="30" />
			<Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" />
			<Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
		</Environment>
	</Service>
	<Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91">
		<InstanceData>
			<Instance enabled="true" name="LocalDHCP">
				<Environment>
					<Parameter value="%computername%" name="DeviceAddress"/>
					<Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/>
					<Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
					<Parameter value="5000" name="ThrottleTimeout"/>
					<Parameter value="%computername%" name="RemoteMachine"/>
					<Parameter value="true" name="Local.System"/>
					<Parameter value="0" name="Login.Handle"/>
				</Environment>
			</Instance>
		</InstanceData>
		<Environment/>
	</Service>​

Deploy Agent with DHCP Service

Now that you have the template file you can push this out to any agent where WinCollect 7.2.9-96 is installed in stand-alone mode.

Copy the service_PayloadRouterDHCP.xml to the \WinCollect\patch folder

The WinCollect Agent will check the patch folder every 3-5s and will see template file, add the contents into the Agent-Config.xml and then restart WinCollect. You will now see an additional patch_checkpoint folder and a new Agent-Config in the \WinCollect\config folder.

The agent will now start to collect DHCP logs. If you look in the WinCollect log you should see the following

10-30 09:12:40.680 INFO  Device.Service.WindowsDHCPDevice : Initializing Microsoft DHCP Device Service...
10-30 09:12:40.680 INFO  Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service: Overriding thread pool type with type AdaptiveThreadPool.
10-30 09:12:40.695 INFO  Device.Service.WindowsDHCPDevice : Started device instance LocalDHCP with credential handle 0
10-30 09:12:40.695 INFO  Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service initialized.
10-30 09:12:40.695 INFO  System.ComponentFactory : Service DeviceMicrosoftDHCP v7.2.9 initialized

And then it starting to monitor the file

10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log.
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log.

Use Case #2

Customer would like to deploy DHCP and DNS Debug local log sources

• Install Agent in stand-alone mode as mentioned above
• Create a template file with the following content (I named it service_PayloadRouterDHCP_DNS.xml
• Copy PayloadRouterDHCP_DNS.xml to the patches folder and the Agent will pick up and apply the change.

<Service classification="Service" type="Service" version="7.2.9" module="Routing" name="PayloadRouter">
    <Environment>
       <Parameter name="RouterThreads" value="3" />
       <Parameter name="QueueLowWaterMark" value="9975000" />
       <Parameter name="QueueHighWaterMark" value="10000000" />
       <Parameter name="StatisticsSweepPeriod" value="30" />
       <Parameter name="AddRoute" value="{EventLog}{QRadar}" />
       <Parameter name="AddRoute" value="{DNS Debug Local}{QRadar}" />
       <Parameter name="AddRoute" value="{LocalDHCP}{QRadar}" />
    </Environment>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDNS" name="DeviceMicrosoftDNS">
    <Environment/>
        <InstanceData>
        <Instance enabled="true" name="DNS Debug Local">
            <Environment>
               <Parameter value="%computername%" name="DeviceAddress"/>
               <Parameter value="%computername%" name="RemoteMachine"/>
               <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
               <Parameter value="5000" name="ThrottleTimeout"/>
               <Parameter value=".*.log" name="FilenamePattern"/>
               <Parameter value="true" name="Local.System"/>
               <Parameter value="C:\dnsdebug" name="RootDirectory"/>
               <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
               <Parameter value="0" name="Login.Handle"/>
            </Environment>
        </Instance>
        </InstanceData>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP">
    <InstanceData>
          <Instance enabled="true" name="LocalDHCP">
            <Environment>
               <Parameter value="%computername%" name="DeviceAddress"/>
               <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/>
               <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
               <Parameter value="5000" name="ThrottleTimeout"/>
               <Parameter value="%computername%" name="RemoteMachine"/>
               <Parameter value="true" name="Local.System"/>
               <Parameter value="0" name="Login.Handle"/>
           </Environment>
         </Instance>
    </InstanceData>
<Environment/>
</Service>

Sample Templates

Sample XML to use for the templates can be gathered by adding different devices in WinCollect Configuration Console

For Example

IIS

<Service version="7.2.9-96" classification="Service" type="DeviceType" module="DeviceMicrosoftIIS" name="DeviceMicrosoftIIS">
    <InstanceData>
      <Instance enabled="false" name="LocalIIS">
        <Environment>
          <Parameter value="%computername%" name="DeviceAddress" />
          <Parameter value="C:\inetpub\logs\LogFiles" name="RootDirectory" />
          <Parameter value="5000" name="ThrottleTimeout" />
          <Parameter value="true" name="Protocol.FTP" />
          <Parameter value="false" name="Protocol.NNTP" />
          <Parameter value="true" name="Protocol.SMTP" />
          <Parameter value="true" name="Protocol.W3C" />
          <Parameter value="%computername%" name="RemoteMachine" />
          <Parameter value="true" name="Local.System" />
          <Parameter value="0" name="Login.Handle" />
        </Environment>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>​

Don’t forget to add the route into the payload router

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
		<Environment>
			<Parameter name="RouterThreads" value="3" />
			<Parameter name="QueueLowWaterMark" value="9975000" />
			<Parameter name="QueueHighWaterMark" value="10000000" />
			<Parameter name="StatisticsSweepPeriod" value="30" />
			<Parameter value="{LocalIIS}{QRadar}" name="AddRoute" />
			<Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
		</Environment>
	</Service>​

File Forwarder Example with 2 “Log Sources”

<Service version="7.2.9-96" classification="Service" type="DeviceType" module="DeviceFileForwarder" name="DeviceFileForwarder">
        <Environment/>
        <InstanceData>
            <Instance enabled="true" name="FileForwarder Continuous - Local">
                <Environment>
                    <Parameter value="%computername%" name="DeviceAddress"/>
                    <Parameter value="%computername%" name="RemoteMachine"/>
                    <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
                    <Parameter value=".*.txt" name="FilenamePattern"/>
                    <Parameter value="Continuous Monitoring" name="MonitoringAlgorithm"/>
                    <Parameter value="true" name="Local.System"/>
                    <Parameter value="5000" name="ThrottleTimeout"/>
                    <Parameter value="true" name="ContinuousMonitor"/>
                    <Parameter value="c:\LogFiles\Continuous" name="RootDirectory"/>
                    <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
                    <Parameter value="false" name="OnlyMonitorFilesCreatedToday"/>
                    <Parameter value="ANSI" name="FileReaderEncoding"/>
                    <Parameter value="0" name="Login.Handle"/>
                </Environment>
            </Instance>
            <Instance enabled="true" name="FileForwarder File Drop - Local">
                <Environment>
                    <Parameter value="%computername%" name="DeviceAddress"/>
                    <Parameter value="%computername%" name="RemoteMachine"/>
                    <Parameter value="true" name="OnlyMonitorFilesCreatedToday"/>
                    <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
                    <Parameter value=".*.txt" name="FilenamePattern"/>
                    <Parameter value="File Drop" name="MonitoringAlgorithm"/>
                    <Parameter value="true" name="Local.System"/>
                    <Parameter value="5000" name="ThrottleTimeout"/>
                    <Parameter value="false" name="ContinuousMonitor"/>
                    <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
                    <Parameter value="ANSI" name="FileReaderEncoding"/>
                    <Parameter value="c:\LogFiles\FileDrop" name="RootDirectory"/>
                    <Parameter value="0" name="Login.Handle"/>
                </Environment>
            </Instance>
        </InstanceData>
    </Service>​

The post WinCollect – Stand-Alone – Add devices/plugins without patch installer appeared first on 101.

When you install the WinCollect Agent you can configure the Agent to collect windows event logs. This can be configured using the gui install or using the cmd line installation option.  As part of this configuration you need to tell the Agent where to send the events it has collected.  The process is different to Managed and Stand-Alone WinCollect.

Managed WinCollect

If you want to configure a QRadar “Log Source” as part of the Managed WinCollect Agent installation, the most important pre-requisite is to create a Destination in QRadar.  Without a pre-configured destination, the Agent will register but an associated log source will not be created.

QRadar Procedure
1. Click the Admin tab.
2. On the navigation menu, click Data Sources.
3. Click the WinCollect icon.
4. Click Destinations and then click Add.
5. Configure the parameters. (see WinCollect user guide).

The most important parameter to keep track of when you install is the Name

This is the value that you will use for “Component1.Destination.Name” or Target Destination in UI Installer.

If you were to use cmd line the destination name would be set to “EP”, for example

c:\wincollect-7.2.9-72.x64.exe /s /v"/qn AUTHTOKEN=304f1ec9-f9fd-465c-b1e2-5be0a487f431 STATUSSERVER=172.18.X.X HEARTBEAT_INTERVAL=123456 LOG_MONITOR_SOCKET_TYPE=TCP FULLCONSOLEADDRESS=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Destination.Name=EP&Component1.Log.Security=true&Component1.EventLogPollProtocol=MSEVEN6&Component1.Log.System=true&Component1.CoalesceEvents=true&Component1.StoreEventPayload=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+Event+Rate+Server"""


Stand-Alone WinCollect

For Stand Alone installs the Agent is no longer dependent on QRadar, therefore you DO NOT need to create a destination in QRadar. The Component1.Destination.Name can be named anything you want, but you will need to add in the Destination Hostname (Component1.Dest.Hostname=172.18.X.X), the Port to use (Component1.Dest.Port=514), and the transmission protocol (Component1.Dest.Protocol=TCP)

In the following example the events are sent to 172.18.X.X using port 514 over TCP

c:\wincollect-7.2.9-72.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server"""


The post WinCollect – Setting QRadar Destination during Agent Installation appeared first on 101.

The first thing you need to do is convert your Xpath to base64 encoding

Take this example which Xpath needed to collect Windows Powershell logs.

<QueryList>
     <Query Id="0" Path="Windows PowerShell">
        <Select Path="Windows PowerShell">*</Select>
     </Query>
</QueryList>

Converting this to base64 (you can go to https://www.base64encode.org/ to encode/decode the Xpath) results in

PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoPSJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2VsZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+KjwvU2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5TGlzdD4=

Now that we have the base64 we can add this to our cmd line to install WinCollect

c:\wincollect-7.2.8-91.exe /s /v"/qn STATUSSERVER=172.X.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.X.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=2500&Component1.CustomQuery.Base64=PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoPSJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2VsZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+KjwvU2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5TGlzdD4=&Component1.EventRateTuningProfile=High+Event+Rate+Server"""

Replace the following entries with valid IP addresses
STATUSSERVER=172.X.X.X and
Component1.Dest.Hostname=172.X.X.X

STATUSSERVER is the location where the WinCollect Agent will send it’s status messages (i.e. WinCollect service starting or any Agent error messages)
Component1.Dest.Hostname is the location where the Agent will send the event logs (i.e. QRadar EC or Console)

Add/Subtract any of the Components or event logs you want to collect and your should be good to go.

The post WinCollect 7.2.8 – Stand-Alone cmd line with Xpath option appeared first on 101.

You will need 3 parameters per channel you want to collect from.

System
&Component1.Filter.System.Enabled=true
&Component1.Filter.System.Type=NSAlist
&Component1.Filter.System.Param=1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045
Application
&Component1.Filter.Application.Enabled=true
&Component1.Filter.Application.Type=NSAlist
&Component1.Filter.Application.Param=1,2,865,866,867,868,882,1000,1001,1002,1022,1033,1511,1518
Security
&Component1.Filter.Security.Enabled=true
&Component1.Filter.Security.Type=NSAlist
&Component1.Filter.Security.Param=1100,1102,4624,4625,4634,4648,4657,4672,4688,4689,4704,4706,4713,4714,4716,4719,4720,4722,4725,4726,4728,4731,4732,4733,4735,4740,4756,4765,4766,4767,4769,4776,4778,4779,4781,4782,4793,4870,4873,4874,4880,4881,4882,4885,4886,4887,4888,4890,4891,4892,4896,4897,4898,4899,4900,5038,5136,5137,5138,5139,5140,5141,5142,5144,5145,5376,5377,5632,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281

Sample Install Command

c:\wincollect-7.2.8-91.exe /s /v"/qn STATUSSERVER=172.X.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.X.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.Filter.System.Enabled=true&Component1.Filter.System.Type=NSAlist&Component1.Filter.System.Param=1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045&Component1.Filter.Application.Enabled=true&Component1.Filter.Application.Type=NSAlist&Component1.Filter.Application.Param=1,2,865,866,867,868,882,1000,1001,1002,1022,1033,1511,1518&Component1.Filter.Security.Enabled=true&Component1.Filter.Security.Type=NSAlist&Component1.Filter.Security.Param=1100,1102,4624,4625,4634,4648,4657,4672,4688,4689,4704,4706,4713,4714,4716,4719,4720,4722,4725,4726,4728,4731,4732,4733,4735,4740,4756,4765,4766,4767,4769,4776,4778,4779,4781,4782,4793,4870,4873,4874,4880,4881,4882,4885,4886,4887,4888,4890,4891,4892,4896,4897,4898,4899,4900,5038,5136,5137,5138,5139,5140,5141,5142,5144,5145,5376,5377,5632,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281"""


Replace the following entries with valid IP addresses
STATUSSERVER=172.X.X.X and
Component1.Dest.Hostname=172.X.X.X

STATUSSERVER is the location where the WinCollect Agent will send it’s status messages (i.e. WinCollect service starting or any Agent error messages)
Component1.Dest.Hostname is the location where the Agent will send the event logs (i.e. QRadar EC or Console)

Add/Subtract any of the Components or event logs you want to collect and your should be good to go.

Log File
You can verify the Agent is using the change by looking in wincollect.log, and looking for “Setup filter Application” etc.

INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Application on ABC every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Security on ABC  every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log System on ABC  every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter Application: (1-2,865-868,882,1000-1002,1022,1033,1511,1518) 
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter Security: (1100,1102,4624-4625,4634,4648,4657,4672,4688-4689,4704,4706,4713-4714,4716,4719-4720,4722,4725-4726,4728,4731-4733,4735,4740,4756,4765-4767,4769,4776,4778-4779,4781-4782,4793,4870,4873-4874,4880-4882,4885-4888,4890-4892,4896-4900,5038,5136-5142,5144-5145,5376-5377,5632,6272-6281) 
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter System: (1,6,12-13,19,104,219,1001,1125-1126,1129,7000,7022-7024,7026,7031-7032,7034,7045)

The post WinCollect 7.2.8 – Stand-Alone cmd line with NSA Filter Option appeared first on 101.

Templates
Currently there are 4 sample templates installed with WinCollect 7.x which are stored in \IBM\WinCollect\templates

• tmplt_AgentCore.xml
• tmplt_DestinationManager.xml
• tmplt_DeviceWindowsLog.xml
• tmplt_PayloadRouter.xml

These templates are examples only, all agent config service modules are supported therefore you can create your own templates (see example below)

Use Case
Customer requests that they want to change the Heart Beat Interval from 5 minutes to 1hr on all of their deployed systems.  In prior versions this would require direct manual or scripted changes to the agentconfig.xml and a WinCollect service restart

With Templates this can be accomplished by performing the following;

Locate the service that handles the Heart beat interval.  The service that handles the heartbeat is the “AgentCore”, in particular the HeartbeatInterval, is contained in the tmplt_AgentCore.xml template

<Service classification="Static" type="Service" version="7.3.1" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="300000"/>
			<Parameter name="ConfigurationCheckInterval" value="300000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>

Make a copy of the template and name it service_AgentCore.xml
Update the HeartbeatInterval to 1 hr
60minutes = 3600000 milliseconds

<Service classification="Static" type="Service" version="7.3.1" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="3600000"/>
			<Parameter name="ConfigurationCheckInterval" value="300000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>

Drop the file into the WinCollect patch folder \IBM\WinCollect\patch.
After a few seconds the file will disappear and the Agent will restart.
The old agentconfig.xml will now appear in backup folder (patch_checkpoint_XXXX).  This provides a backup incase you need to revert to the prior agent configuration

The Agent will restart on it’s own and you will now have the configuration that you provided in the service template.

Use Case 2
Customer would like to modify the location and capacity of the event data which is stored in \programdata\WinCollect.  They want to now store the event data in “c:\ibm” and change the capacity to 20GB.

Their is no default template for this, but we can easily create one looking at the AgentConfig.xml

Existing Service

<Service classification="Service" type="Service" version="7.3.1" module="WinCollectCommon" name="DiskManager">
		<Environment>
			<Parameter name="BasePath" value="%ALLUSERSPROFILE%\WinCollect\Data"/>
			<Parameter name="Capacity" value="6144"/>
		</Environment>
	</Service>

NOTE:  %ALLUSERSPROFILE% is an environment variable
Environment variable C:\ProgramData

We want to change this to C:\IBM\WinCollect\Data

Looking at the xml we can see that the name of this service is “DiskManager”
Create an xml named service_DiskManager.xml with the contents above and make necessary changes to the path and capacity

<Service classification="Service" type="Service" version="7.3.1" module="WinCollectCommon" name="DiskManager">
		<Environment>
			<Parameter name="BasePath" value="c:\ibm\WinCollect\Data"/>
			<Parameter name="Capacity" value="20480"/>
		</Environment>
	</Service>

Same as before, drop the file in the patch folder.  The agent will pickup the change and apply the new configuration and restart the Agent.  Once the changes are applied by the Agent, it will now be writing book-marks and event data (if it can’t reach QRadar) to the new folder.

Use Case 3 – Send TCP vs. UDP
Customer Syslog destination as UDP but now wants to send Syslog to QRadar as TCP.  This flag is controlled in the DestinationManager

<Service version="7.3.1" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
	<Environment/>
	<InstanceData>
		<Instance name="QRadar">
			<Environment/>
			<Module order="1" service_name="StoreAndForwardStage">
				<Environment>
					<Parameter name="DataChunkPeriod" value="10"/>
					<Parameter name="DataProcessingPeriod" value="500000"/>
					<Parameter name="QueueLowWaterMark" value="750000"/>
					<Parameter name="QueueHighWaterMark" value="1000000"/>
					<Parameter name="Schedule.Enable" value="true"/>
					<Parameter name="Schedule.Invert" value="false"/>
					<Parameter name="Socket.KeepAlive.Enabled" value="true"/>
					<Parameter name="Socket.KeepAlive.Time" value="30000"/>
					<Parameter name="Socket.KeepAlive.Interval" value="4000"/>
				</Environment>
			</Module>
			<Module order="2" service_name="SimpleEventThrottle">
				<Environment>
					<Parameter name="EventThrottleInEPS" value="5000"/>
				</Environment>
			</Module>
			<Module order="3" service_name="SyslogHeaderStage">
				<Environment/>
			</Module>
			<Module order="4" service_name="UDPSendStage">
				<Environment>
					<Parameter name="TargetAddress" value="172.18.X.X"/>
					<Parameter name="TargetPort" value="514"/>
				</Environment>
			</Module>
		</Instance>
	</InstanceData>
</Service>

Change the service_name for module (order 4) to UDPSendStage to TCPSendStage

<Service version="7.3.1" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
	<Environment/>
	<InstanceData>
		<Instance name="QRadar">
			<Environment/>
			<Module order="1" service_name="StoreAndForwardStage">
				<Environment>
					<Parameter name="DataChunkPeriod" value="10"/>
					<Parameter name="DataProcessingPeriod" value="500000"/>
					<Parameter name="QueueLowWaterMark" value="750000"/>
					<Parameter name="QueueHighWaterMark" value="1000000"/>
					<Parameter name="Schedule.Enable" value="true"/>
					<Parameter name="Schedule.Invert" value="false"/>
					<Parameter name="Socket.KeepAlive.Enabled" value="true"/>
					<Parameter name="Socket.KeepAlive.Time" value="30000"/>
					<Parameter name="Socket.KeepAlive.Interval" value="4000"/>
				</Environment>
			</Module>
			<Module order="2" service_name="SimpleEventThrottle">
				<Environment>
					<Parameter name="EventThrottleInEPS" value="5000"/>
				</Environment>
			</Module>
			<Module order="3" service_name="SyslogHeaderStage">
				<Environment/>
			</Module>
			<Module order="4" service_name="TCPSendStage">
				<Environment>
					<Parameter name="TargetAddress" value="172.18.X.X"/>
					<Parameter name="TargetPort" value="514"/>
				</Environment>
			</Module>
		</Instance>
	</InstanceData>
</Service>

Create an xml named service_DestinationManager.xml with the contents above.

Use Case 4 – Add NSA Filtering to an existing log source

Existing Log Source

<Service version="7.3.1" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog">
	<Environment>
		<Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/>
		<Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/>
		<Parameter name="MinEventMonitorThreads" value="5"/>
		<Parameter name="MaxEventMonitorThreads" value="250"/>
		<Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/>
		<Parameter name="DefaultThrottleTimeout" value="1500"/>
		<Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/>
	</Environment>
	<InstanceData>
		<Instance enabled="true" name="EventLogLocal">
			<Environment>
				<Parameter name="DeviceAddress" value="DESKTOP"/>
				<Parameter name="RemoteMachine" value="DESKTOP"/>
				<Parameter name="Filter.DNS Server.Enabled" value="false"/>
				<Parameter name="EventTypeFilterFailureAudit" value="true"/>
				<Parameter name="EventLogPollProtocol" value="MSEVEN6"/>
				<Parameter name="Log.Security" value="true"/>
				<Parameter name="Filter.Application.Enabled" value="false"/>
				<Parameter name="ADLookup.Enabled" value="false"/>
				<Parameter name="ThrottleTimeout" value="1000"/>
				<Parameter name="Filter.DNS Server.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Enabled" value="false"/>
				<Parameter name="Filter.Application.Type" value="No Filtering"/>
				<Parameter name="Filter.Directory Service.Param" value=""/>
				<Parameter name="Log.Application" value="true"/>
				<Parameter name="Filter.System.Type" value="No Filtering"/>
				<Parameter name="Filter.DNS Server.Type" value="No Filtering"/>
				<Parameter name="Filter.Application.Param" value=""/>
				<Parameter name="Filter.System.Param" value=""/>
				<Parameter name="Log.Directory Service" value="false"/>
				<Parameter name="ADLookup.DomainControllerName" value=""/>
				<Parameter name="Log.File Replication Service" value="false"/>
				<Parameter name="Filter.Directory Service.Enabled" value="false"/>
				<Parameter name="CustomQuery.Base64" value=""/>
				<Parameter name="Filter.Security.Param" value=""/>
				<Parameter name="EventRateTuningProfile" value="High Event Rate Server"/>
				<Parameter name="Local.System" value="true"/>
				<Parameter name="EventTypeFilterError" value="true"/>
				<Parameter name="EventTypeFilterWarn" value="true"/>
				<Parameter name="EventTypeFilterInfo" value="true"/>
				<Parameter name="Filter.File Replication Service.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Type" value="No Filtering"/>
				<Parameter name="EventTypeFilterSuccessAudit" value="true"/>
				<Parameter name="Filter.Directory Service.Type" value="No Filtering"/>
				<Parameter name="Filter.Security.Type" value="No Filtering"/>
				<Parameter name="Application" value="None"/>
				<Parameter name="Log.System" value="true"/>
				<Parameter name="Log.ForwardedEvents" value="false"/>
				<Parameter name="Filter.Security.Enabled" value="false"/>
				<Parameter name="Filter.System.Enabled" value="false"/>
				<Parameter name="Log.DNS Server" value="false"/>
				<Parameter name="ADLookup.DNSDomainName" value=""/>
				<Parameter name="RemoteMachinePollInterval" value="3000"/>
				<Parameter name="MinLogsToProcessPerPass" value="1250"/>
				<Parameter name="MaxLogsToProcessPerPass" value="1825"/>
				<Parameter name="Login.Handle" value="0"/>
			</Environment>
		</Instance>
	</InstanceData>
</Service>

Modify the following lines

<Parameter name="Filter.System.Type" value="NSAlist"/>
<Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/>
<Parameter name="Filter.System.Enabled" value="true"/>

Save to service_DeviceWindowsLog.xml and drop in the patches folder.

<Service version="7.3.1" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog">
	<Environment>
		<Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/>
		<Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/>
		<Parameter name="MinEventMonitorThreads" value="5"/>
		<Parameter name="MaxEventMonitorThreads" value="250"/>
		<Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/>
		<Parameter name="DefaultThrottleTimeout" value="1500"/>
		<Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/>
	</Environment>
	<InstanceData>
		<Instance enabled="true" name="EventLogLocal">
			<Environment>
				<Parameter name="DeviceAddress" value="DESKTOP"/>
				<Parameter name="RemoteMachine" value="DESKTOP"/>
				<Parameter name="Filter.DNS Server.Enabled" value="false"/>
				<Parameter name="EventTypeFilterFailureAudit" value="true"/>
				<Parameter name="EventLogPollProtocol" value="MSEVEN6"/>
				<Parameter name="Log.Security" value="true"/>
				<Parameter name="Filter.Application.Enabled" value="false"/>
				<Parameter name="ADLookup.Enabled" value="false"/>
				<Parameter name="ThrottleTimeout" value="1000"/>
				<Parameter name="Filter.DNS Server.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Enabled" value="false"/>
				<Parameter name="Filter.Application.Type" value="No Filtering"/>
				<Parameter name="Filter.Directory Service.Param" value=""/>
				<Parameter name="Log.Application" value="true"/>
				<Parameter name="Filter.DNS Server.Type" value="No Filtering"/>
				<Parameter name="Filter.Application.Param" value=""/>
				<Parameter name="Filter.System.Type" value="NSAlist"/>
				<Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/>
				<Parameter name="Filter.System.Enabled" value="true"/>
				<Parameter name="Log.Directory Service" value="false"/>
				<Parameter name="ADLookup.DomainControllerName" value=""/>
				<Parameter name="Log.File Replication Service" value="false"/>
				<Parameter name="Filter.Directory Service.Enabled" value="false"/>
				<Parameter name="CustomQuery.Base64" value=""/>
				<Parameter name="Filter.Security.Param" value=""/>
				<Parameter name="EventRateTuningProfile" value="High Event Rate Server"/>
				<Parameter name="Local.System" value="true"/>
				<Parameter name="EventTypeFilterError" value="true"/>
				<Parameter name="EventTypeFilterWarn" value="true"/>
				<Parameter name="EventTypeFilterInfo" value="true"/>
				<Parameter name="Filter.File Replication Service.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Type" value="No Filtering"/>
				<Parameter name="EventTypeFilterSuccessAudit" value="true"/>
				<Parameter name="Filter.Directory Service.Type" value="No Filtering"/>
				<Parameter name="Filter.Security.Type" value="No Filtering"/>
				<Parameter name="Application" value="None"/>
				<Parameter name="Log.System" value="true"/>
				<Parameter name="Log.ForwardedEvents" value="false"/>
				<Parameter name="Filter.Security.Enabled" value="false"/>
				<Parameter name="Log.DNS Server" value="false"/>
				<Parameter name="ADLookup.DNSDomainName" value=""/>
				<Parameter name="RemoteMachinePollInterval" value="3000"/>
				<Parameter name="MinLogsToProcessPerPass" value="1250"/>
				<Parameter name="MaxLogsToProcessPerPass" value="1825"/>
				<Parameter name="Login.Handle" value="0"/>
			</Environment>
		</Instance>
	</InstanceData>
</Service>

The post WinCollect 7.x – Stand-Alone change configuration with Templates appeared first on 101.

The latest release of the QRadar Log Source Management App now provides the functionality to bulk change 1 to many WinCollect log sources.   You will need QRadar 7.3.1+ and to download Version 2.0 or greater of the Log Source Management App to use the bulk change feature.

Use Case

I want to modify the polling interval from 3s to 10s for all of my Microsoft Windows Security Event Log WinCollect log sources.

Launch the QRadar Log Source Management App
Filter the Log Source Types by “Microsoft Windows Security Event Log” and Protocol Type of “WinCollect”

Select all of the log sources you want to modify

NOTE you can filter by name as well

If I only wanted the 64-bit boxes I could type in “64-bit” and that would narrow my list to

Select all Log Sources and click on Edit

Click on the “Protocol Tab” and click on the “Polling Interval” entry and change it to 10000, and then click on Save

The selected log sources will now have a polling interval of 10s.  The Agents will need to pick up the changes from QRadar so it could be 5 minutes before the Agent get’s the change from QRadar.

Use Case

Add Noise Filtering XPath to all WinCollect log sources (Microsoft Windows Security Event Log)

Follow same steps as above, and select XPath Query and add the following entry, and click on save

<QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select>
<Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and (
Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe'
)]]</Suppress><Suppress  Path='Security'>(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']])
 or (*[System[EventID=4770]])
 or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']])
 or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']])
</Suppress> </Query></QueryList>​

The post Bulk Change WinCollect Log Sources using QRadar Log Source Management App appeared first on 101.

In WinCollect 7.2.8 we added the ability to set just about any parameter in the cmd line install.  In Prior releases only the parameters available in the UI install were available in the cmd line install.  Now in WinCollect 7.2.8 any parameter that’s part of the AgentConfig.xml (i.e. Xpath) can be set as part of the cmd line install.

NOTE:  You can also set Agent Core parameters as well such as the Heart beat interval and configuration poll interval.

Use Case – Windows Applications and Services Event Logs (Xpath)

Configure WinCollect to collect Windows PowerShell Event Logs along with standard event logs.

Xpath –  see the following blog

Use Case Change Heart Beat and Configuration Polling Interval

Customer wants to change how often WinCollect checks in with QRadar for a code update (ConfigurationCheckInterval) and also how often it sends a heart beat message.

These parameters (HeartbeatInterval and ConfigurationCheckInterval) are set in the AgentCore section of the AgentConfig.xml

<Service classification="Static" type="Service" version="7.2.8" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="3600000"/>
			<Parameter name="ConfigurationCheckInterval" value="900000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>

The following values can be used in the cmd line install (change heartbeat to 60 minutes and config poll to 15 minutes from the default of 5 minutes). Values measured in ms.

Component1.HeartbeatInterval=3600000
Component1.ConfigurationCheckInterval=900000

Example

IF EXIST "%PROGRAMFILES(X86)%" (set bit=x64) ELSE (set bit=x86)
C:\WinCollectInstall\wincollect-7.2.8-9999.%bit%.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.HeartbeatInterval=3600000&Component1.ConfigurationCheckInterval=900000&Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server"""

Use Case NSA Filtering

See the following blog how to set NSA filtering in the cmd line install

The post WinCollect 7.2.8 – Cmd Line parameters – setting any parameter appeared first on 101.