Microsoft Security Event Log over MSRPC Protocol

The Microsoft Security Event Log over MSRPC protocol (MSRPC) is an active outbound protocol that collects Windows events without an agent installed on the Windows host.

The MSRPC protocol uses the Microsoft Distributed Computing Environment/Remote Procedure Call (DCE/RPC) specification to provide agentless, encrypted event collection.

The following table lists the supported features of the MSRPC protocol.

Table 1. Supported features of the MSRPC protocol
Features Microsoft Security Event Log over MSRPC protocol
Manufacturer Microsoft
Connection test tool The MSRPC test tool checks the connectivity between the QRadar® appliance and a Windows host. The MSRPC test tool is part of the MSRPC protocol RPM and can be found in /opt/qradar/jars after you install the protocol. For more information, see MSRPC test tool (
Protocol type

The remote procedure protocol type for collecting events. The protocol type depends on your operating system.

Select one of the following options from the Protocol Type list:

The default protocol type for new log sources.
The protocol type that is used by QRadar to communicate with Windows Vista and Windows Server 2012 and later.
Important: The MS-EVEN (for Windows XP/2003) option is no longer supported. However, it still appears in the Protocol Type list.
auto-detect (for legacy configurations)
Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type.
Upgrade to the MS_EVEN6 protocol type.
Maximum EPS rate 100 EPS / Windows host
Maximum overall EPS rate of MSRPC 8500 EPS / IBM® QRadar 16xx or 18xx appliance
Maximum number of supported log sources 500 log sources / QRadar 16xx or 18xx appliance
Bulk log source support Yes
Encryption Yes
Supported event types




DNS Server

File Replication

Directory Service logs

Supported Windows Operating Systems

Windows Server 2022 (including Core) WinCollect v10.1.2 and above

Windows Server 2019 (including Core)

Windows Server 2016 (including Core)

Windows Server 2012 (including Core)

Windows 10

Windows 11 WinCollect v10.1.2 and above

Required permissions The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are usually required to poll a Windows event log across a domain. In some cases, the backup operators group can be used depending on how Microsoft Group Policy Objects are configured.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion
Required RPM files PROTOCOL-WindowsEventRPC-QRadar_release-Build_number.noarch.rpm



Windows service requirements
  • Remote Procedure Call (RPC)
  • RPC Endpoint Mapper
Windows port requirements
  • TCP port 135
  • TCP port 445
  • TCP port that is dynamically allocated for RPC, from port 49152 up to 65535
Special features Supports encrypted events by default.
Automatically discovered? No
Includes identity? Yes
Includes custom properties? A security content pack with Windows custom event properties is available on IBM Fix Central.
Intended application Agentless event collection for Windows operating systems that can support 100 EPS per log source.
Tuning support MSRPC is limited to 100 EPS / Windows host. For higher event rate systems, see the IBM QRadar WinCollect User Guide.
Event filtering support MSRPC does not support event filtering. See the IBM QRadar WinCollect User Guide for this feature.
More information Microsoft support (