Configuration options for systems with restricted policies for domain controller credentials

Users with appropriate remote access permissions might be able to collect events from remote systems without using domain administrator credentials. Depending on what information you collect, the user might need extra permissions. For example, a user might need to collect Security event logs remotely. Therefore, the user that is configured in the QRadar® log source must have remote access to the Security event log from the server where the Agent is installed.

Restriction:
For remote collection, the WinCollect user must work with their Windows administrator to ensure access to the following items:
  • Logs for security, system, and application events
  • The remote registry
  • Any directories that contain .dll or .exe files that contain message string information

With certain combinations of Windows operating system and group policies in place, alternative configurations might not be possible.

Remote collection inside or across a Windows domain might require domain administrator credentials to ensure that events can be collected. If your corporate policies restrict the use of domain administrator credentials, you might need to complete more configuration steps for your WinCollect deployment.

The following permissions and credentials are required for service accounts to access remote polling log sources that WinCollect supports.
Permissions Log Sources
The service account needs to be able to access the folder that the log file is in and open the file.
  • Microsoft DHCP
  • Microsoft Exchange Server
  • DNS debug
  • File Forwarder
  • Microsoft IAS
  • Microsoft IIS
  • Microsoft ISA
  • Juniper Steel-Belted Radius
  • Microsoft SQL
  • Net App Data ONTAP
  • TLS
The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain administrative privileges are usually required to poll a Windows event log across a domain. Microsoft Windows Security Event Log

When WinCollect agents collect events from the local host, the event collection service uses the Local System account credentials to collect and forward events. Local collection requires that you install a WinCollect agent on a host where local collection occurs.