Microsoft Security Event Log over MSRPC Protocol
The Microsoft Security Event Log over MSRPC protocol (MSRPC) is an active outbound protocol that collects Windows events without an agent installed on the Windows host.
The MSRPC protocol uses the Microsoft Distributed Computing Environment/Remote Procedure Call (DCE/RPC) specification to provide agentless, encrypted event collection.
The following table lists the supported features of the MSRPC protocol.
|Features||Microsoft Security Event Log over MSRPC protocol|
|Connection test tool||The MSRPC test tool checks the connectivity between the QRadar® appliance and a Windows host. The MSRPC test tool is part of the MSRPC protocol RPM and can be found in /opt/qradar/jars after you install the protocol. For more information, see MSRPC test tool (http://www.ibm.com/support/docview.wss?uid=swg21959348)|
The remote procedure protocol type for collecting events. The protocol type depends on your operating system.
Select one of the following options from the Protocol Type list:
Important: The MS-EVEN (for Windows XP/2003) option is no longer supported. However, it still appears in the Protocol Type list.
|Maximum EPS rate||100 EPS / Windows host|
|Maximum overall EPS rate of MSRPC||8500 EPS / IBM® QRadar 16xx or 18xx appliance|
|Maximum number of supported log sources||500 log sources / QRadar 16xx or 18xx appliance|
|Bulk log source support||Yes|
|Supported event types||
Directory Service logs
|Supported Windows Operating Systems||
Windows Server 2022 (including Core) WinCollect v10.1.2 and above
Windows Server 2019 (including Core)
Windows Server 2016 (including Core)
Windows Server 2012 (including Core)
Windows 11 WinCollect v10.1.2 and above
|Required permissions||The log source user must be a member of the Event Log Readers group. If this group is not
configured, then domain admin privileges are usually required to poll a Windows event log across a domain. In some cases, the backup operators group can be
used depending on how Microsoft Group Policy Objects are
|Required RPM files||PROTOCOL-WindowsEventRPC-QRadar_release-Build_number.noarch.rpm
|Windows service requirements||
|Windows port requirements||
|Special features||Supports encrypted events by default.|
|Includes custom properties?||A security content pack with Windows custom event properties is available on IBM Fix Central.|
|Intended application||Agentless event collection for Windows operating systems that can support 100 EPS per log source.|
|Tuning support||MSRPC is limited to 100 EPS / Windows host. For higher event rate systems, see the IBM QRadar WinCollect User Guide.|
|Event filtering support||MSRPC does not support event filtering. See the IBM QRadar WinCollect User Guide for this feature.|
|More information||Microsoft support (http://support.microsoft.com/)|