Sending Syslog data to QRadar over TCP

You want to send Syslog data to your QRadar® Status Server over TCP, rather than UDP. You must also specify this option in the Destination Manager on your IBM® QRadar Console.

1. Locate the update_updtTemplate.xml template in the \IBM\WinCollect\samples directory.
2. Save a copy of the template and name it update_ChangeUDPtoTCP.xml.
3. Modify the file:
   1. Open the agent config definition file (AgentConfigDefinition.xml) and find the Protocol parameter.
      Important: Do Not Modify the AgentConfigDefinition.xml file.

      The Protocol parameter is in the TypeDef object which means that every object can call upon the default value. The StatusServer object in AgentCore has a Protocol parameter, with a default value of UDP. To refer to a child object, use a forward slash (/).

      

      
   2. Change the object path in your script to AgentCore/StatusServer, the Protocol parameter to TCP, and the description to Changing status server protocol to TCP.
      The final script looks like this:

      <?xml version="1.0" encoding="UTF-8"?>
      <WinCollectScript version="10.0">
          <Update objPath="AgentCore/StatusServer" setParam="Protocol" value="TCP" />
      </WinCollectScript>

4. Save the update_ChangeUDPtoTCP.xml file and move it to the \IBM\WinCollect\patch directory.
   After a few seconds, the file disappears and the agent restarts. The old agentconfig.xml file is moved to the backup directory (patch_checkpoint_xxxx).