WinCollect deployment planning
Work with your Windows IT group and the QRadar® group to answer the following questions to plan your WinCollect deployment.
- Which Windows endpoints do I need to collect data from?
- Where are these endpoints located?
- What data do I need to collect?
- How much will my EPS increase?
- Do I install a managed or stand-alone configuration?
- How do I want to collect the events?
Which Windows endpoints do I need to collect data from?
- What is the Windows Operating System?
- Are these “high value” servers. High value servers typically generate high Events per Second (EPS) and have a higher importance (such as Domain Controllers or Web Servers).
- Are you allowed to install a WinCollect Agent on this endpoint?
- Will this endpoint require more configuration changes?
- Point-of-sale (POS) devices are typically low EPS and rarely require updates.
- A Domain Controller might require frequent configuration changes (for example, modify the event filter to configure which event IDs are collected).
Where are these endpoints located?
- Are the endpoints all in the same region, or are they distributed across geographies?
- Are they in the same domain, child domains, or off the network?
- What is their line of sight?
- Which Console, Event Collector, or Event Processor do the endpoints have visibility to?
What data do I need to collect?
- Which Event logs do you need to collect? Apart from the standard Windows logs (Application, System, Security), do you need data from applications
and services logs such as Powershell or Sysmon? Application and services logs are collected by
providing an XPath to the WinCollect
- XPath queries are structured XML expressions that you use to retrieve customized events from the Windows event log.
- In addition to event logs, identify any of the following logs you might want to collect:
Tip: These logs can be collected by a local Agent or a Remote agent.
- DNS Debug
- Juniper SBR
- File Forwarder (generic log file forwarder)
How much will my EPS increase?
- How much EPS will my endpoints generate?
- How many Event Processors or Collectors will be required to handle this EPS?
- How many events per second (EPS) are you licensed for?
- How much EPS are the Event Processors and Collectors rated for?
- What is the Average and Peak EPS generated by my endpoints?
- It is important to estimate the Peak EPS for the endpoints. Your Event Collector might handle 40,000 EPS, but when employees log in at 8:00 AM, will this EPS spike to 80,000? And if so, for how long? Can your QRadar appliances handle these spikes, or do you need to spread out the load across 1 or more Event Collectors?
- How many endpoints are communicating with the server (Domain Controller)
- Level of Audit Logging configured
- Applications that are installed and generating events
|Endpoint type||Average EPS||Peak EPS|
|Employee Endpoints Desktops & Laptops||0.005||0.05|
|Windows Domain Server||5 - 10||350|
|Web Servers (IIS, Apache)||5 - 10||350|
|Windows DNS Server||0.5||5|
Do I install a managed or stand-alone configuration?
You can install WinCollect agents in an environment that is managed by QRadar, as a stand-alone agent, or a combination of both.
The WinCollect agent is managed by QRadar. Code updates and configuration changes are provided by the QRadar console to the agent installed on the Windows endpoint. This option requires TCP communication over port 8413 between the Windows endpoint and QRadar. Customers manage what data the agent will collect by adding log sources in the QRadar Console.
The agent also requires access to port 514 UDP or TCP to send the syslog data to QRadar. In smaller deployments that don't exceed the managed limitations, customers typically choose managed installation to maintain control of WinCollect code and configuration changes.
- Current QRadar managed limitations
- 200 endpoints - Console
- 500 endpoints - Event Processor/Collector 1
- 500 endpoints - Event Processor/Collector 2
In a stand-alone installation, the WinCollect agent is not managed by QRadar. The only communication the agent has with QRadar is via TCP/UDP over port 514. To upgrade these agents, you need to reinstall the agent or use the patch installer to update the code. Currently the patch installer is a separate installation provided by IBM that includes code updates and the WinCollect Configuration Console.
To make configuration changes, you need to either install the WinCollect Configuration Console GUI tool or make changes directly to the agents' configuration. For large deployments, customers typically chose stand-alone installations, so they can control the installation and configuration using BigFix or Microsoft System Center Configuration Manager.
Changes to the configuration can be made using templates which will allow you to make changes to the Agent-Config.xml without editing the file directory. For more information, see https://www.ibm.com/community/qradar/2019/03/14/wincollect-7-2-8-stand-alone-change-configuration-with-templates/.
How do I want to collect the events?
Maximum EPS supported: 5,000 EPS
The WinCollect agent is installed on the endpoint in either a managed or stand-alone configuration and collects Windows event logs from the local endpoint. You can use this collection method on Windows hosts that are busy or have limited resources, such as domain controllers. Domain controllers typically have a heavier event per second (EPS) rate than member servers.
Maximum EPS supported: 2,500 events total, across 500 remote endpoints
|135||TCP||Microsoft Endpoint Mapper|
|137||UDP||NetBIOS name service|
|138||UDP||NetBIOS datagram service|
|139||TCP||NetBIOS session service|
|445||TCP||Microsoft Directory Services for file transfers that use Windows share|
|49152-65535||TCP||Default dynamic port range for TCP/IP
Tip: Some windows servers might have a different default dynamic range set for TCP. To check the default range on your server, use the following command:
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
- Tuning considerations when remote polling
- For information about tuning profiles for remote polling, see Log source event rates and tuning profiles.
Windows Event Forwarding (WEF)
- Events can be pushed or pulled from the WEC Server
- Can be configured via GPO
- Uses Windows Remote Management (Kerberos) to prevent man in the middle
- Recommended to target certain event logs and event IDs (use Xpath)
- Events are collected to one central event log file (EVTX file) that WinCollect can poll