Use Case 3: Send TCP instead of UDP
You want to send Syslog data to QRadar over TCP rather than UDP. You must specify this option in the Destination Manager.
Procedure
- Locate the tmplt_DestinationManager.xml template in the \IBM \WinCollect\templates directory.
- Make a copy of the template and name it service_DestinationManager.xml.
- In
<Module order="4" service_name="UDPSendStage">, change theservice_nameparameter toTCPSendStage.Service version="7.2.8" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager"> <Environment/> <InstanceData> <Instance name="QRadar"> <Environment/> <Module order="1" service_name="StoreAndForwardStage"> <Environment> <Parameter name="DataChunkPeriod" value="10"/> <Parameter name="DataProcessingPeriod" value="500000"/> <Parameter name="QueueLowWaterMark" value="750000"/> <Parameter name="QueueHighWaterMark" value="1000000"/> <Parameter name="Schedule.Enable" value="true"/> <Parameter name="Schedule.Invert" value="false"/> <Parameter name="Socket.KeepAlive.Enabled" value="true"/> <Parameter name="Socket.KeepAlive.Time" value="30000"/> <Parameter name="Socket.KeepAlive.Interval" value="4000"/> </Environment> </Module> <Module order="2" service_name="SimpleEventThrottle"> <Environment> <Parameter name="EventThrottleInEPS" value="5000"/> </Environment> </Module> <Module order="3" service_name="SyslogHeaderStage"> <Environment/> </Module> <Module order="4" service_name="TCPSendStage"> <Environment> <Parameter name="TargetAddress" value="172.18.X.X"/> <Parameter name="TargetPort" value="514"/> </Environment> </Module> </Instance> </InstanceData> </Service> - Move the file to the \IBM\WinCollect\patch
directory. After a few seconds, the file disappears and the agent restarts. The old agentconfig.xml file is moved to the backup directory (patch_checkpoint_xxxx).