WinCollect 7.2.8 allows you to add NSA filtering to your cmd line installer for “Stand-Alone” installs only.

You will need 3 parameters per channel you want to collect from.

System
&Component1.Filter.System.Enabled=true
&Component1.Filter.System.Type=NSAlist
&Component1.Filter.System.Param=1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045

Application
&Component1.Filter.Application.Enabled=true
&Component1.Filter.Application.Type=NSAlist
&Component1.Filter.Application.Param=1,2,865,866,867,868,882,1000,1001,1002,1022,1033,1511,1518

Security
&Component1.Filter.Security.Enabled=true
&Component1.Filter.Security.Type=NSAlist
&Component1.Filter.Security.Param=1100,1102,4624,4625,4634,4648,4657,4672,4688,4689,4704,4706,4713,4714,4716,4719,4720,4722,4725,4726,4728,4731,4732,4733,4735,4740,4756,4765,4766,4767,4769,4776,4778,4779,4781,4782,4793,4870,4873,4874,4880,4881,4882,4885,4886,4887,4888,4890,4891,4892,4896,4897,4898,4899,4900,5038,5136,5137,5138,5139,5140,5141,5142,5144,5145,5376,5377,5632,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281

Sample Install Command

c:\wincollect-7.2.8-91.exe /s /v”/qn STATUSSERVER=172.X.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=””Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.X.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.Filter.System.Enabled=true&Component1.Filter.System.Type=NSAlist&Component1.Filter.System.Param=1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045&Component1.Filter.Application.Enabled=true&Component1.Filter.Application.Type=NSAlist&Component1.Filter.Application.Param=1,2,865,866,867,868,882,1000,1001,1002,1022,1033,1511,1518&Component1.Filter.Security.Enabled=true&Component1.Filter.Security.Type=NSAlist&Component1.Filter.Security.Param=1100,1102,4624,4625,4634,4648,4657,4672,4688,4689,4704,4706,4713,4714,4716,4719,4720,4722,4725,4726,4728,4731,4732,4733,4735,4740,4756,4765,4766,4767,4769,4776,4778,4779,4781,4782,4793,4870,4873,4874,4880,4881,4882,4885,4886,4887,4888,4890,4891,4892,4896,4897,4898,4899,4900,5038,5136,5137,5138,5139,5140,5141,5142,5144,5145,5376,5377,5632,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281″””

Replace the following entries with valid IP addresses
STATUSSERVER=172.X.X.X and
Component1.Dest.Hostname=172.X.X.X

STATUSSERVER is the location where the WinCollect Agent will send it’s status messages (i.e. WinCollect service starting or any Agent error messages)
Component1.Dest.Hostname is the location where the Agent will send the event logs (i.e. QRadar EC or Console)

Add/Subtract any of the Components or event logs you want to collect and your should be good to go.

Log File
You can verify the Agent is using the change by looking in wincollect.log, and looking for “Setup filter Application” etc.

INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Application on ABC every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Security on ABC  every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log System on ABC  every 3000 msecs
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter Application: (1-2,865-868,882,1000-1002,1022,1033,1511,1518) 
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter Security: (1100,1102,4624-4625,4634,4648,4657,4672,4688-4689,4704,4706,4713-4714,4716,4719-4720,4722,4725-4726,4728,4731-4733,4735,4740,4756,4765-4767,4769,4776,4778-4779,4781-4782,4793,4870,4873-4874,4880-4882,4885-4888,4890-4892,4896-4900,5038,5136-5142,5144-5145,5376-5377,5632,6272-6281) 
INFO Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter System: (1,6,12-13,19,104,219,1001,1125-1126,1129,7000,7022-7024,7026,7031-7032,7034,7045)

Join The Discussion

Your email address will not be published. Required fields are marked *