Adding a destination

If you install the WinCollect 10 agent by using the Quick Installation option, a destination that is called QRadar® is created during the installation. You can also add new destinations.

About this task

Use the following Syslog types for a destination:

  • RFC 3164: The default method of sending event to QRadar.
  • RFC 5424: A newer syslog format that can be selected to have correct IPv6 parsing on syslog events in QRadar.

Procedure

  1. From the Agent Configuration menu, click Destinations.
  2. In the Destinations window, click Add in the Destinations section.
  3. Configure the following options:
    Option Description
    Name Give your destination a name.
    Type

    Types of destinations.

    • Destination - A standard destination located in some remote location.
    • Disk Destination - A location on disk to store events.
    • Kafka Destination - Events are sent by using a Kafka producer.
    Device Address Use the DNS name of your QRadar appliance. If DNS is not configured, use the IP address.
    Protocol The default is set to TCP.
    Important: If you want to specify a secondary destination, you must select a connection-based protocol such as TCP, TLS, or mTLS.
  4. To configure Destination parameters, set the following options:
    Option Description
    Enabled Enable or disable the destination to stop events from being sent.
    Device Address The hostname or IP address of the appliance where the event data is sent.
    Port The port number used to send data.
    Secondary device address Used as a backup destination. For more information, see Adding a Secondary Destination.
    Maximum events per second The EPS rate sent to that destination,
    Format The format the destination uses to send data.
    Include Agent ID If configured, you can include the agent identifier that is in the SYSLOG header for all your log sources.
    Protocol The protocol used by the destination.
  5. To configure Disk Destination parameters, set the following options:
    Option Description
    Enabled Enable or disable the destination to stop events from being sent.
    Maximum events per second The EPS rate sent to that destination.
    Format The format the destination uses to send data.
    Output file The name of the single file where all events are written. The only accepted file extension is .txt. The default value is the name of this destination followed by the .txt file extension.
    Max file size The maximum size of the file. Events are discarded when file reaches the maximum capacity.
  6. To configure Kafka Destination parameters, set the following options:
    Option Description
    Enabled Enable or disable the destination to stop events from being sent.
    Maximum events per second The EPS rate sent to that destination.
    Format The format the destination uses to send data.
    Brokerlist

    Kafka brokerlist, where items in the list are separated by a comma.

    Kafka Config Settings More Kafka configuration settings, where items in the list are separated by an equal sign (=).
    These settings are examples of the syntax:
    • socket.timeout.ms=100
    • socket.blocking.max.ms=100
    Topic The Kafka topic where events are published.
    Protocol Select TCP, TLS, or mTLS from the list.
    Enable SASL If you want to use SASL for the authentication process.
  7. To configure HTTP Destination - Events are sent using curl to an HTTP(s) endpoint parameters, set the following options:
    Option Description
    Enabled Enable or disable the destination to stop events from being sent.
    Maximum events per second The EPS rate sent to that destination.
    Format The format the destination uses to send data.
    Device Address The hostname or IP address of the appliance where the event data is sent.
    Port The port number used to send data.
    Path The HTTP(s) endpoint path where the events to be sent to. If you leave this field blank, events will be sent to '/.
    Use HTTP Header Authentication Token Select this option to add the Authorization header to our events.
    Authentication Token Header Name The HTTP header name to be added to the Authorization header. Common names include Basic, Digest, and Bearer.
    Authentication Token Value The HTTP value associated with the Authentication Token Header Name.
    Compress Select this option to compress the event payload with .gzip compression.
    Secondary device address Used as a backup destination. For more information, see Adding a Secondary Destination.
  8. To configure TLS/HTTPS protocol, set the following options:
    Option Description
    Certificate Source Where to obtain certificates for validating incoming TLS server certificate.
    Certificate Used in TLS and mTLS communication, when not using the certificate store. Must be a PEM file.
    Hostname Validation Used in TLS and mTLS communication. Determines whether to enable hostname validation for the TLS connection.
    Certificate Store Used in TLS and mTLS communication, as an alternative to providing a specific certificate. The name of the Windows certificate store that is on the local computer where the client certificate is located.
    Client Certificate Source Format of certificate and private key that is used for the client certificate.
    Client Certificate The client certificate to be sent to the server for mutual TLS. Save your certificate as a PEM file with the .pem file extension and provide the path to the file here prefixed with an @ character.
    Client Private Key The private key that is associated with the provided client certificate. Save your key as a PEM file with the .pem file extension and provide the path to the file prefixed with an @ character. This key must be encrypted with a pass phrase.
    Client Certificate Key Pair The client certificate and key pair to be sent to the server for mutual TLS. Save your certificate and key as a PKCS#12 file and provide the path to the file prefixed with an @ character.
    Client Certificate Store The name of the Windows certificate store that is on the local computer where the client certificate is located.
    mTLS client certificate identifier

    The method the client certificate will be identified in the Windows certificate store. The options are either friendly name or thumbprint. The friendly name option is the default.

    mTLS client certificate friendly name

    The value set as the friendly name on the certificate in the Windows certificate store.

    Client Certificate Hash The thumbprint (or SHA1 hash) of the client certificate to use.
  9. To configure Kafka SASL authentication, set the following options:
    Option Description
    SASL Type

    The SASL mechanism to use

    • Plain
    • SCRAM-SHA-256
    • SCRAM-SHA-512
    SASL username The username for the Kafka connection.
    SASL Password The password for the Kafka connection.
  10. Click Save.
  11. Deploy your changes.

Results

Some destination parameters can cause unexpected behavior when they are changed while events exist on the disk. Existing events on disk might be ignored when the Name parameter is changed. Existing events on disk might be sent at a different rate than what you configured for the Maximum events per second parameter if that parameter is changed.