Configuring access to the registry for remote polling

Before a WinCollect log source can remotely poll for events, you must configure a local policy for your Windows-based systems.

When a local policy is configured on each remote system, a single WinCollect agent uses the Windows Event Log API to read the remote registry and retrieve event logs. The Windows Event Log API does not require domain administrator credentials. However, the event API method does require an account that has access to the remote registry and to the security event log.

By using this collection method, the log source can remotely read the full event log. However, the method requires WinCollect to parse the retrieved event log information from the remote host against cached message content. WinCollect uses version information from the remote operating system to ensure that the message content is correctly parsed before it forwards the event to IBM® Security QRadar®.

Procedure

  1. Log on to the Windows computer that you want to remotely poll for events.
  2. Select Start > StartPrograms > Administrative Tools and then click Local Security Policy.
  3. From the navigation menu, select Local Policies > User Rights Assignment.
  4. Right-click Manage auditing and security log > Properties.
  5. From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.
  6. Log out of the Windows host and try to poll the remote host for Windows-based events that belong to your WinCollect log source.

    If you cannot collect events for the WinCollect log source, verify that your group policy does not override your local policy. You can also verify that the local firewall settings on the Windows host allow remote event log management.