USE Case: Large Retail Point of Sale (POS) Collection
Customer needs to collect Windows Security Event logs from all Point of Sale devices at each of their retail stores.
Architecture
- Device count
- 4,500 POS devices
- Retail stores
- 500 (~ 9 POS per store)
- QRadar deployment
- 1 Console, 2 Event Collectors
Visibility
No visibility of POS devices outside retail store
Option 1 - POS visibility to local retail store Domain Controller
- Proposed solution
- POS visibility to local retail store Domain Controller.
- Advantages
- POS devices can be brought up and down and will start sending events to WEF Collector once they receive GPO Update. No need to manage stores POS devices once GPO is configured.
- Disadvantages
-
-
IT Group must monitor 500 WEF Collection servers to make sure WEF is configured and working.
- GPO must be configured for each retail store. Must ensure each POS is pointing to the correct WEF Collector.
-
WEF must be configured on a Domain Controller.
-
Option 1a - POS visibility outside of retail store
- Proposed solution
- Windows Event Forwarding - remote WEF server.
- Advantages
-
- POS devices can be brought up and down and will start sending events to WEF Collector once they receive GPO Update. No need to manage stores POS devices once GPO is configured.
- 1 WEF Collector can be configured to handle traffic from all retail stores. Collector can handle 10k endpoints. Customer must validate EPS rates are not higher than the supported 10k EPS.
- Gather logs from 1 server to troubleshoot any issues.
- Disadvantages
- POS devices need visibility outside of the retail store.
Option 2 - WinCollect Agent installed on each POS device
This includes the option to make WinCollect part of the "Golden Base Image." This allows the
customer to spin up new registers at any time and have WinCollect configured and ready to send
events. This option requires the Agent to be installed on the POS device to have visibility into a
QRadar appliance onsite at the retail store, or to have visibility to a QRadar Event
Processor/Collector outside of the retail location.
- Proposed solution
- WinCollect agent per POS.
- Advantages
-
- After the initial work of creating a WinCollect image is complete, bringing POS devices on and off line would be part of standard process.
- No management necessary to install agents on each POS device.
- Disadvantages
-
- Gathering logs from POS to troubleshoot issues might take time.
- Updating WinCollect agent to new versions requires new testing and updates to base image.
Option 3 - WinCollect Agent installed on store local domain controller or server
If this server has visibility to QRadar, it could be installed in Managed Mode. The agents could
then be configured to remote poll each of the POS devices. With 500 retail stores, the customer
could install each Agent in Managed mode, divided between the Console and Event
Collectors/Processors. Management of the solution would be quite difficult and require a lot of
maintenance as new POS are brought on and off line.
- Proposed solution
- WinCollect agent remote poll POS.
- Advantages
-
- Management of Agents from the QRadar Console.
- Easier to make changes to what events are collected and what data is filtered.
- Disadvantages
- Customer would be responsible for adding/subtracting POS devices that Agent is remote polling. This would increase during high retail volume periods.