Adding a destination
If you install the WinCollect 10 agent by using the Quick Installation option, a destination that is called QRadar® is created during the installation. You can also add new destinations.
About this task
Use the following Syslog types for a destination:
Procedure
- From the Agent Configuration menu, click Destinations.
- In the Destinations window, click Add in the Destinations section.
-
Configure the following options:
Option Description Name Give your destination a name. Type Types of destinations.
- Destination - A standard destination located in some remote location.
- Disk Destination - A location on disk to store events.
- Kafka Destination - Events are sent by using a Kafka producer.
Device Address Use the DNS name of your QRadar appliance. If DNS is not configured, use the IP address. Protocol The default is set to TCP. Important: If you want to specify a secondary destination, you must select a connection-based protocol such as TCP, TLS, or mTLS. - To configure Destination parameters, set the following
options:
Option Description Enabled Enable or disable the destination to stop events from being sent. Device Address The hostname or IP address of the appliance where the event data is sent. Port The port number used to send data. Secondary device address Used as a backup destination. For more information, see Adding a Secondary Destination. Maximum events per second The EPS rate sent to that destination, Format The format the destination uses to send data. Include Agent ID If configured, you can include the agent identifier that is in the SYSLOG header for all your log sources. Protocol The protocol used by the destination. - To configure Disk Destination parameters, set the following
options:
Option Description Enabled Enable or disable the destination to stop events from being sent. Maximum events per second The EPS rate sent to that destination. Format The format the destination uses to send data. Output file The name of the single file where all events are written. The only accepted file extension is .txt. The default value is the name of this destination followed by the .txt file extension. Max file size The maximum size of the file. Events are discarded when file reaches the maximum capacity. - To configure Kafka Destination parameters, set the following
options:
Option Description Enabled Enable or disable the destination to stop events from being sent. Maximum events per second The EPS rate sent to that destination. Format The format the destination uses to send data. Brokerlist Kafka brokerlist, where items in the list are separated by a comma.
Kafka Config Settings More Kafka configuration settings, where items in the list are separated by an equal sign (=). These settings are examples of the syntax:- socket.timeout.ms=100
- socket.blocking.max.ms=100
Topic The Kafka topic where events are published. Protocol Select TCP, TLS, or mTLS from the list. Enable SASL If you want to use SASL for the authentication process. - To configure HTTP Destination - Events are sent using curl to an HTTP(s)
endpoint parameters, set the following options:
Option Description Enabled Enable or disable the destination to stop events from being sent. Maximum events per second The EPS rate sent to that destination. Format The format the destination uses to send data. Device Address The hostname or IP address of the appliance where the event data is sent. Port The port number used to send data. Path The HTTP(s) endpoint path where the events to be sent to. If you leave this field blank, events will be sent to '/. Use HTTP Header Authentication Token Select this option to add the Authorization
header to our events.Authentication Token Header Name The HTTP header name to be added to the Authorization
header. Common names include Basic, Digest, and Bearer.Authentication Token Value The HTTP value associated with the Authentication Token Header Name. Compress Select this option to compress the event payload with .gzip
compression.Secondary device address Used as a backup destination. For more information, see Adding a Secondary Destination. - To configure TLS/HTTPS protocol, set the following
options:
Option Description Certificate Source Where to obtain certificates for validating incoming TLS server certificate. Certificate Used in TLS and mTLS communication, when not using the certificate store. Must be a PEM file. Hostname Validation Used in TLS and mTLS communication. Determines whether to enable hostname validation for the TLS connection. Certificate Store Used in TLS and mTLS communication, as an alternative to providing a specific certificate. The name of the Windows certificate store that is on the local computer where the client certificate is located. Client Certificate Source Format of certificate and private key that is used for the client certificate. Client Certificate The client certificate to be sent to the server for mutual TLS. Save your certificate as a PEM file with the .pem file extension and provide the path to the file here prefixed with an @ character. Client Private Key The private key that is associated with the provided client certificate. Save your key as a PEM file with the .pem file extension and provide the path to the file prefixed with an @ character. This key must be encrypted with a pass phrase. Client Certificate Key Pair The client certificate and key pair to be sent to the server for mutual TLS. Save your certificate and key as a PKCS#12 file and provide the path to the file prefixed with an @ character. Client Certificate Store The name of the Windows certificate store that is on the local computer where the client certificate is located. mTLS client certificate identifier The method the client certificate will be identified in the Windows certificate store. The options are either friendly name or thumbprint. The friendly name option is the default.
mTLS client certificate friendly name The value set as the friendly name on the certificate in the Windows certificate store.
Client Certificate Hash The thumbprint (or SHA1 hash) of the client certificate to use. - To configure Kafka SASL authentication, set the following options:
Option Description SASL Type The SASL mechanism to use
- Plain
- SCRAM-SHA-256
- SCRAM-SHA-512
SASL username The username for the Kafka connection. SASL Password The password for the Kafka connection. - Click Save.
- Deploy your changes.
Results
Some destination parameters can cause unexpected behavior when they are changed while events exist on the disk. Existing events on disk might be ignored when the Name parameter is changed. Existing events on disk might be sent at a different rate than what you configured for the Maximum events per second parameter if that parameter is changed.