Configuring a remote source
You can configure sources to remotely collect Windows events in the WinCollect 10 Console.
Ensure that the user account that you are using has permissions to connect to the remote devices that are configured in Step 10.
Before you begin
- From the IBM® WinCollect 10 Console, click the menu icon, and select Source Wizard.
- Select Remote for the Select Source Group Type.
- For Select Source Group, click Create
New. Tip: You can also add the new device to an existing group.
- Type Domain Workstations as the name of the group, and add a description.
- On the Select Source Type window, leave the default settings to Windows Event Subscription.
- In the Configure Source Parameters section, select the channels that
you want to collect events from. Tip: You can also create an XPath Query that contains a custom set of channels and event IDs that you want to create.
- Select the Application, System, and Security event channels, then click Credentials.
- Click Create New. Tip: If you previously added a credential, select it in the Select Credentials window. By default, after you install a new agent, no credentials are configured.
- In the Credentials window, enter the credential details and click Step 6: Device.
- In the Create Device window, enter the following details for device
that you want to collect events from:
Option Description Device Address Specify the FQDN or the IP address of the remote device. Name If you don't specify a name, the FQDN or IP address from the Device Address is used as the name. Description (Optional) Type a description to identify the device. Credentials (Optional) Specify the credentials that you created in the previous step.
- In the Configure Destination window, specify where you want these
events to go. Tip: If you installed the agent using the Quick Installation, you might already have a Destination created called QRadar®. If you want your new remote source to go to the same location, you can select this destination.
- To add another QRadar appliance, select Create New.
- Type QRadarEP as the Name.
- Optional: Add a Description.
- Specify the hostname or the IP address of the QRadar appliance as the
Device Address. Tip: If you are using the hostname of the EP, ensure that your agent can resolve the hostname. The default port number is 514. The default Maximum events per second is 20,000.
- Click Finish. The WinCollect 10 dashboard displays a notification that you have pending changes.
- Deploy the changes.