Windows log source parameters

Common parameters are used when you configure a log source for a WinCollect agent or a WinCollect plug-in. Each WinCollect plug-in also has a unique set of configuration options.

Table 1. Common WinCollect log source parameters
Parameter Description
Log Source Identifier

The IP address or hostname of a remote Windows operating system from which you want to collect Windows-based events. The log source identifier must be unique for the log source type.

Used to poll events from remote sources.

Local System

Disables remote collection of events for the log source.

The log source uses local system credentials to collect and forward events to QRadar®.

Note: You must clear this box if you are using a fully qualified domain name (FQDN) log source identifier and the agent is installed on a domain controller.
Domain

Optional

The domain that includes the Windows-based log source.

The following examples use the correct syntax: LAB1, server1.mydomain.com The following syntax is incorrect: \\mydomain.com

Event Rate Tuning Profile For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:
  • Default (Endpoint): 33-50 EPS

  • Typical Server: 166-250 EPS

  • High Event Rate Server: 416-625 EPS

For a polling interval of 1000 ms the approximate EPS rates are as follows:

  • Default (Endpoint): 100-150 EPS

  • Typical Server: 500-750 EPS

  • High Event Rate Server: 1250-1875 EPS

For more information about tuning WinCollect, see IBM® Support (http://www.ibm.com/support/docview.wss?uid=swg21672193).

Polling Interval (ms) The interval, in milliseconds, between times when WinCollect polls for new events.
Application or Service Log Type

Optional.

Used for XPath queries.

Provides a specialized XPath query for products that write their events as part of the Windows application log. Therefore, you can separate Windows events from events that are classified to a log source for another product.

Event Log Poll Protocol The protocol that QRadar uses to communicate with the Windows device. The default is MSEVEN6.
Log Filter Type

Configures the WinCollect agent to ignore specific events from the Windows event log.

You can also configure WinCollect agents to ignore events globally by ID code or log source.

Exclusion filters for events are available for the following log source types: Security, System, Application, DNS Server, File Replication Service, and Directory Service

Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source= field and the EventIDCode= field of the Windows event payload. Separate multiple sources by using a semi-colon.

Example: Exclusion filters can use commas and hyphens to filter single EventIDs or ranges, such as 4609, 4616, 6400-6405.

For more information about filtering, see WinCollect Event Filtering (http://www.ibm.com/support/docview.wss?uid=swg21672656).

Security Select the checkbox to enable WinCollect to forward security logs to QRadar.
Security Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Security Log Filter field with a list of event IDs recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Security Log Filter displays. You must provide the event IDs that you want to include or exclude.
System Select the checkbox to enable WinCollect to forward system logs to QRadar.
System Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the System Log Filter field with a list of event IDs recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field System Log Filter displays. You must provide the event IDs that you want to include or exclude.
Application Select the checkbox to enable WinCollect to forward application logs to QRadar.
Application Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Application Log Filter field with a list of event IDs recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Application Log Filter displays. You must provide the event IDs that you want to include or exclude.
DNS Server Select the checkbox to enable WinCollect to forward DNS Server logs to QRadar.
DNS Server Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the DNS Server Log Filter field with a list of event IDs recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field DNS Server Log Filter displays. You must provide the event IDs that you want to include or exclude.
File Replication Service Select the checkbox to enable WinCollect to forward File Replication Service logs to QRadar.
File Replication Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

Note: If you select a filter type from the list, a new field File Replication Service Log Filter displays. You must provide the event IDs that you want to include or exclude.
Directory Service Select the checkbox to enable WinCollect to forward Directory Service logs to QRadar.
Directory Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select the Exclusion Filter.

To include specific events ID collected in the Windows event log, select the Inclusion Filter.

Note: If you select a filter type from the list, a new field Directory Service Log Filter displays. You must provide the event IDs that you want to include or exclude.
Forwarded Events

Enables QRadar to collect events that are forwarded from remote Windows event sources that use subscriptions.

Forward events that use event subscriptions are automatically discovered by the WinCollect agent and forwarded as if they are a syslog event source.

When you configure event forwarding from your Windows system, enable event pre-rendering.

Important: WinCollect supports pulling logs only from the Forwarded Events channel. Writing events from a subscription to a different channel is not supported.
Forwarded Events filter type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Forwarded Events filter field with all channels and their respective filters, as recommended by the National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Forwarded Events Filter displays. You must provide the event IDs that you want to include or exclude.
The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you want to filter in parentheses. Use semicolons as delimiters. For example:
Application(200-256,4097,34);Security(1);Symantec(1,13)
In this example, event IDs 200 - 256, 4097 and 34 are filtered for the channel Application. Event ID 1 is filtered for Security. Event IDs 1 and 13 are filtered for the source called Symantec.
Event Types

At least one event type must be selected.

If you need to collect specific event types, follow the instructions for creating a custom XPath with those specific event types. For more information, see Creating a custom view.

Enable Active Directory Lookups

If the WinCollect agent is in the same domain as the domain controller that is responsible for the Active Directory lookup, you can select this checkbox. If you do, leave the override domain and DNS parameters blank.

Important: You must enter values for the Domain Controller Name Lookup and DNS Domain Name Lookup parameters.
Override Domain Controller Name

Required when the domain controller that is responsible for Active Directory lookup is outside of the domain of the WinCollect agent.

The IP address or hostname of the domain controller that is responsible for the Active Directory lookup.

XPath Query

Structured XML expressions that you use to retrieve customized events from Windows event logs.

If you specify an XPath query to filter events, the check boxes that you selected from the Standard Log Type or Event Type are collected along with the XPath Query.

To collect information by using an XPath Query, you might be required to enable Remote Event Log Management on Windows 2008.

Target Internal Destination

Use any managed hosts with an event processor component as an internal destination.

Target External Destination

Forwards your events to one or more external destinations that you configured in your destination list.