WinCollect 10 overview

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to IBM® QRadar®. WinCollect can collect events from systems locally or be configured to remotely poll other Windows systems for events.

WinCollect uses the Windows Event Log API to gather events, and then WinCollect sends the events to QRadar.

Important: You can install WinCollect 10 as a stand-alone agent only.

In a stand-alone deployment, the WinCollect software is installed on a Windows host that is not managed through QRadar to control the log sources. There are no performance differences between a managed and stand-alone agent. The agent can gather events from itself (local), connect to a remote Windows endpoint to collect events (remote), or both. The agent then sends both the local and remote events to your QRadar deployment.

Figure 1. WinCollect stand-alone deployment example
WinCollect stand-alone deployment example

You can also deploy stand-alone WinCollect to consolidate event data on one Windows host, where WinCollect collects events to send to QRadar.

Stand-alone WinCollect mode has the following capabilities:

  • Configure each WinCollect agent by using the WinCollect 10 Console.
  • Update WinCollect software with the software update installer.
  • Event storage to ensure that no events are dropped.
  • Collects forwarded events from Microsoft Subscriptions.
  • Filters events by using XPath queries or exclusion filters.
  • Supports virtual machine installations.
  • Send events to QRadar over TLS Syslog.
  • Automatically create a local source at the time of agent installation.
  • Configure the WinCollect 10 agent to communicate over IPv6.
Note: New in WinCollect 10.1.4 WinCollect 10 now supports Virtual Accounts.