WinCollect 101

Capturing Windows-based events for QRadar SIEM administrators. Find information, ask us questions, important notices, and resources for WinCollect administrators.

What’s new in WinCollect 7.2.8?

New features are now provided to WinCollect users with the release of WinCollect 7.2.8:

  • Logs are combined in to a single WinCollect.log for easier troubleshooting
  • A new statistics log file is available to help administrators understand collection and EPS output to QRadar
  • IIS support updated in WinCollect 7.2.8 for log rollover improvements and to add support for remote polling of IIS events
  • A new Microsoft Exchange plug-in is now available for WinCollect 7.2.8 to collect OWA access, message tracking, and SMTP logs
  • The supported operating system list was updated to include Windows 2016 Core
  • Two new support utilities are available on QRadar appliances for managed WinCollect deployments:
    • /opt/qradar/support/
    • /opt/qradar/support/

Supported versions

WinCollect is a Windows agent provided to QRadar administrators for the collection of Windows events in their networks. Administrators should be aware that supported software versions for IBM WinCollect is the latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect (7.2.8 & 7.2.7) are the versions that QRadar Support will recommend with any support tickets (cases) that are opened against older versions. It is important for administrators to keep up-to-date with the latest releases as issues are fixed and new functionality released to improve collection of Windows events and keep up with Microsoft event logging protocol standards. WinCollect is not supported on version of Windows that are designated end-of-life by Microsoft. After software is beyond the Extended Support End Date, the product might still function as expected. However, IBM does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems.

  • Windows Server 2019 (including Core)
  • Windows Server 2016 (including Core)
  • Windows Server 2012 (including Core)
  • Windows Server 2008 (including Core)
  • POSReady 7
  • Windows 10
  • Windows 8
  • Windows 7

Watch the Latest WinCollect Open Mic

During this session we talk WinCollect overall, tools, notifications, troubleshooting tips, and round table your questions as they come in from the live audience for the webcast. The panelists for this session include the QRadar Development and Support teams. For a list of previous open mic sessions, see the full open mic list here.

Expert blogs

Bulk Editing in WinCollect & Log Source Management

Leverage the power of the Log Source Management app from the X-Force App Exchange to easily edit your WinCollect log sources.

Install WinCollect to Include XPath Queries

This blog post informs users how to install a Stand-alone WinCollect 7.2.8 agent from the command line to create a log source containing an XPath Query.

Install WinCollect to Include NSA Filters

How to install a Stand-alone WinCollect 7.2.8 agent from the command line to create a log source containing the NSA filter in your log source.

DNS Server Analytic WinCollect Configurations

This blog post guides administrators through a how-to administrators can follow when they attempt to configure WinCollect to collect DNS Server Analytic logs for the first time.

Stand-alone WinCollect and Template XML Installs

Templates allow administrators to deploy stand-alone agent configurations without having to manually alter the Agentconfig.xml or script changes.

Adding Device Types to Stand-alone WinCollect

This blog describes how to deploy an additional “plugin-in/service” without the need to install the stand-alone patch installer on each Windows host.