The WinCollect 10 statistics file

Every agent has a statistics file that you can use to see the events that the agent processed over an amount of time. The statistics file is stored in the /logs directory where the agent is installed.

You can open the statistics file in any text editor. The file looks similar to the following example:
From 20210915.130000 to 20210915.140000
Destination//QRadar: 3.5/162,6,4,3,6,31,4,3,3,3,26,3,3,3,6,30,3,4,3,3,32,3,4,4,7,2.4/116,3,3,3,3,25,4,3,3,6,31,4,3,3,3,23,3,3,3,10,48,9,10,4,12,31,12,3,3,6,19,12,3,3,4
Source//Local//Application: 0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Source//Local//DNS Debug: 162,,,,,6,,,,,2,,,,,4,,,,,6,,,,,116,,,,,2,,,,,8,,,,,2,,,,,28,,,,,12,,,,,4,,,,
Source//Local//Security: 27,5,4,3,6,24,3,3,3,3,24,3,3,3,6,26,3,4,3,3,26,3,4,3,6,21,3,3,3,3,23,4,3,3,6,23,4,3,3,3,21,3,3,3,10,20,9,6,4,12,15,12,3,3,6,15,12,3,3,4
Source//Local//XPath Sysmon Powershell: 3,1,,,,1,,,,,,,,,,,,,,,,,,,1,2,,,,,,,,,,,,,,,,,,,,,,2,,,4,,,,,,,,,
StatusServer// 0,,,,1,,,,,1,,,,,1,,,,,1,,,1,,1,,,1,,1,,,,1,1,,,,,1,,,,1,1,1,,,,1,,,,,1,,,,,1
UserData//EvtsOnDisk: 0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Table 1. How to read the statistics file
Value Description
From 20210915.130000 to 20210915.140000 The statistics file is updated every minute and creates a new section every hour. In this example, the data is from Sept 15, 2021, from 1 PM to 2 PM.
Destination//QRadar: 3.5/162,6,4,3,6,31,4,3,3, 3,26,3,3,3,6,30,3,4,3,3,32,3,4,4,7,2.4/116,3, 3,3,3,25,4,3,3,6,31,4,3,3,3,23,3,3,3,10,48,9, 10,4,12,31,12,3,3,6,19,12,3,3,4

This line contains an entry for each destination you are sending logs to. In this example, you have one destination that is named QRadar.

Events per Minute (EPM) are logged each minute. Therefore, this comma-separated line contains 60 entries. The most current entries are the values on the far right.

Numbers in the X/Y format represent the average and highest EPS seen for that minute.
  • For example, 3.5/162 means that the average EPS was 3.5 and the most events that are processed during 1 second in that minute was 162.
Source//Local//Application: 0,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This is a source that is named Application, in the Local group.

This is the source that is collecting events from the local Application event channel.

Source//Local//DNS Debug: 162,,,,,6,,,,,2,,,,, 4,,,,,6,,,,,116,,,,,2,,,,,8,,,,,2,,,,,28,,,,, 12,,,,,4,,,,

This is a source that is named DNS Debug in the Local group.

This source is collecting DNS Debug logs on the local machine.

Source//Local//Security: 27,5,4,3,6,24,3,3,3, 3,24,3,3,3,6,26,3,4,3,3,26,3,4,3,6,21,3,3,3,3, 23,4,3,3,6,23,4,3,3,3,21,3,3,3,10,20,9,6,4,12, 15,12,3,3,6,15,12,3,3,4

This is a source that is named Security, in the Local Group.

This is the source that is collecting events from the local Security event channel.

As expected, this is the busiest source. The security channel typically generates the most traffic in the standard event logs.

Source//Local//XPath Sysmon Powershell: 3,1,,,,1,,,,,,,,,,,,,,,,,,,1,2,,,,,,,,,,,,,,, ,,,,,,,2,,,4,,,,,,,,,

This is a source that is named XPath Sysmon Powershell, in the Local group.

This is the source that is collecting events from the Sysmon and PowerShell applications and services event logs.

StatusServer// 0,,,,1,,,,,1,,,,, 1,,,,,1,,,1,,1,,,1,,1,,,,1,1,,,,,1,,,,1,1,1,,, ,1,,,,,1,,,,,1

This is where the status messages are sent, and includes heartbeat messages and any service stop or start and Agent error messages. Typically, these have a very low EPS count (one message every 5 minutes).

UserData//EvtsOnDisk: 0,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This shows whether events are being stored on the disk. For example, the agent can't communicate to QRadar and thus stores the events to disk until it can open the communication.