Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services
You can forward Windows events to IBM QRadar by using WinCollect.
To forward Windows events by using WinCollect, install WinCollect agent on a Windows host. Download the WinCollect agent setup file from the IBM® Support website (https://www.ibm.com/support). Add a Centrify Infrastructure Services log source and assign it to the WinCollect agent.
Parameter | Value |
---|---|
Log Source type | Centrify Infrastructure Services |
Protocol Configuration | WinCollect |
Log Source Identifier | The IP address or host name of the Windows machine from which you want to collect Windows events. The log source identifier must be unique for the log source type. |
Local System |
Select the Local System check box to disable the remote collection of events for the log source. The log source uses local system credentials to collect and forward logs to QRadar. You need to configure the Domain, Username, and Password parameters if remote collection is required. |
Event Rate Tuning Profile |
For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates
attainable are as follows:
For a polling interval of 1000 ms, the approximate EPS rates are as follows:
For more information about tuning WinCollect, go to the IBM Support website (http://www.ibm.com/support/docview.wss?uid=swg21672193). |
Polling Interval (ms) | The interval, in milliseconds, between times when WinCollect polls for new events. |
Application or Service Log Type | Select None for the Application or Service Log Type. |
Standard Log Types | Do not enable the check box for any of the log types. Select No Filtering as the log filter type for the following log types: Security, System, Application, DNS Server, File Replication Service, and Directory Service. |
Event Types | You must select at least one event type. |
XPath Query | To forward only Centrify Audit events, you must specify the XPath filter. The query is in XML
format and can be created by using Custom View Properties of Microsoft Event Viewer. For more information about creating an XPath query, go to the Creating a custom view documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.wincollect.doc/t_ug_wincollect_creating_customview.html). Important: When you create the custom view, ensure that the By
Source option is selected. From the Event sources list, select
the application name of the Centrify Audit Events.
Example XPath query:
|
Enable Active Directory Lookups | Do not select the check box. |
WinCollectAgent | Select your WinCollect agent from the list. |
Target Internal Destination | Use any managed host with an event processor component as an internal destination. |
For more information about WinCollect log source parameters, go to the Common WinCollect log source parameters documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/en/SS42VS_SHR/com.ibm.wincollect.doc/r_ug_wincollect_comon_parameters.html).