Windows log source parameters
Common parameters are used when you configure a log source for a WinCollect agent or a WinCollect plug-in. Each WinCollect plug-in also has a unique set of configuration options.
Parameter | Description |
---|---|
Log Source Identifier |
The IP address or hostname of a remote Windows operating system from which you want to collect Windows-based events. The log source identifier must be unique for the log source type. Used to poll events from remote sources. |
Local System |
Disables remote collection of events for the log source. The log source uses local system credentials to collect and forward events to QRadar®. Note: You must clear this box if you are using a fully qualified domain name (FQDN) log source
identifier and the agent is installed on a domain controller.
|
Domain |
Optional The domain that includes the Windows-based log source. The following examples use the correct syntax: LAB1, server1.mydomain.com The following syntax is incorrect: \\mydomain.com |
Event Rate Tuning Profile | For the default polling interval of 3000 ms, the approximate Events per second
(EPS) rates attainable are as follows:
For a polling interval of 1000 ms the approximate EPS rates are as follows:
For more information about tuning WinCollect, see IBM® Support (http://www.ibm.com/support/docview.wss?uid=swg21672193). |
Polling Interval (ms) | The interval, in milliseconds, between times when WinCollect polls for new events. |
Application or Service Log Type |
Optional. Used for XPath queries. Provides a specialized XPath query for products that write their events as part of the Windows application log. Therefore, you can separate Windows events from events that are classified to a log source for another product. |
Event Log Poll Protocol | The protocol that QRadar uses to communicate with the Windows device. The default is MSEVEN6. |
Log Filter Type |
Configures the WinCollect agent to ignore specific events from the Windows event log. You can also configure WinCollect agents to ignore events globally by ID code or log source. Exclusion filters for events are available for the following log source types: Security, System, Application, DNS Server, File Replication Service, and Directory Service Global exclusions use the EventIDCode field from the event payload. To
determine the values that are excluded, source and ID exclusions use the Example: Exclusion filters can use commas and hyphens to filter single
EventIDs or ranges, such as 4609, 4616, 6400-6405.
For more information about filtering, see WinCollect Event Filtering (http://www.ibm.com/support/docview.wss?uid=swg21672656). |
Security | Select the checkbox to enable WinCollect to forward security logs to QRadar. |
Security Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Security Log Filter field with a list of event IDs recommended by the National Security Agency. The default is No Filtering. Note: If you select a filter type from the list, a new field Security Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
System | Select the checkbox to enable WinCollect to forward system logs to QRadar. |
System Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the System Log Filter field with a list of event IDs recommended by the National Security Agency. The default is No Filtering. Note: If you select a filter type from the list, a new field System Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
Application | Select the checkbox to enable WinCollect to forward application logs to QRadar. |
Application Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Application Log Filter field with a list of event IDs recommended by the National Security Agency. The default is No Filtering. Note: If you select a filter type from the list, a new field Application Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
DNS Server | Select the checkbox to enable WinCollect to forward DNS Server logs to QRadar. |
DNS Server Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the DNS Server Log Filter field with a list of event IDs recommended by the National Security Agency. The default is No Filtering. Note: If you select a filter type from the list, a new field DNS Server Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
File Replication Service | Select the checkbox to enable WinCollect to forward File Replication Service logs to QRadar. |
File Replication Service Log Filter Type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. Note: If you select a filter type from the list, a new field File Replication Service Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
Directory Service | Select the checkbox to enable WinCollect to forward Directory Service logs to QRadar. |
Directory Service Log Filter Type |
To ignore specific events ID collected from the Windows event log, select the Exclusion Filter. To include specific events ID collected in the Windows event log, select the Inclusion Filter. Note: If you select a filter type from the list, a new field Directory Service Log
Filter displays. You must provide the event IDs that you want to include or
exclude.
|
Forwarded Events |
Enables QRadar to collect events that are forwarded from remote Windows event sources that use subscriptions. Forward events that use event subscriptions are automatically discovered by the WinCollect agent and forwarded as if they are a syslog event source. When you configure event forwarding from your Windows system, enable event pre-rendering. Important: WinCollect supports
pulling logs only from the Forwarded Events channel. Writing events from a subscription to a
different channel is not supported.
|
Forwarded Events filter type |
To ignore specific events ID collected from the Windows event log, select Exclusion Filter. To include specific events ID collected in the Windows event log, select Inclusion Filter. The NSA Filter option populates the Forwarded Events filter field with all channels and their respective filters, as recommended by the National Security Agency. The default is No Filtering. Note: If you select a filter type from the list, a new field Forwarded Events
Filter displays. You must provide the event IDs that you want to include or exclude.
The Forwarded Events filter requires you to identify the source or channel, with the eventIDs
that you want to filter in parentheses. Use semicolons as delimiters. For example:
In
this example, event IDs 200 - 256, 4097 and 34 are filtered for the channel Application. Event ID 1
is filtered for Security. Event IDs 1 and 13 are filtered for the source called Symantec. |
Event Types |
At least one event type must be selected. If you need to collect specific event types, follow the instructions for creating a custom XPath with those specific event types. For more information, see Creating a custom view. |
Enable Active Directory Lookups |
If the WinCollect agent is in the same domain as the domain controller that is responsible for the Active Directory lookup, you can select this checkbox. If you do, leave the override domain and DNS parameters blank. Important: You must enter values for the Domain Controller Name
Lookup and DNS Domain Name Lookup parameters.
|
Override Domain Controller Name |
Required when the domain controller that is responsible for Active Directory lookup is outside of the domain of the WinCollect agent. The IP address or hostname of the domain controller that is responsible for the Active Directory lookup. |
XPath Query |
Structured XML expressions that you use to retrieve customized events from Windows event logs. If you specify an XPath query to filter events, the check boxes that you selected from the Standard Log Type or Event Type are collected along with the XPath Query. To collect information by using an XPath Query, you might be required to enable Remote Event Log Management on Windows 2008. |
Target Internal Destination |
Use any managed hosts with an event processor component as an internal destination. |
Target External Destination |
Forwards your events to one or more external destinations that you configured in your destination list. |