Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services

You can forward Windows events to IBM QRadar by using WinCollect.

To forward Windows events by using WinCollect, install WinCollect agent on a Windows host. Download the WinCollect agent setup file from the IBM® Support website (https://www.ibm.com/support). Add a Centrify Infrastructure Services log source and assign it to the WinCollect agent.

The following table describes the values that are required for the WinCollect log source parameters.
Table 1. WinCollect log source parameters
Parameter Value
Log Source type Centrify Infrastructure Services
Protocol Configuration WinCollect
Log Source Identifier The IP address or host name of the Windows machine from which you want to collect Windows events. The log source identifier must be unique for the log source type.
Local System

Select the Local System check box to disable the remote collection of events for the log source. The log source uses local system credentials to collect and forward logs to QRadar.

You need to configure the Domain, Username, and Password parameters if remote collection is required.

Event Rate Tuning Profile
For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:
  • Default (Endpoint): 33-50 EPS
  • Typical Server: 166-250 EPS
  • High Event Rate Server: 416-625 EPS
For a polling interval of 1000 ms, the approximate EPS rates are as follows:
  • Default (Endpoint): 100-150 EPS
  • Typical Server: 500-750 EPS
  • High Event Rate Server: 1250-1875 EPS

For more information about tuning WinCollect, go to the IBM Support website (http://www.ibm.com/support/docview.wss?uid=swg21672193).

Polling Interval (ms) The interval, in milliseconds, between times when WinCollect polls for new events.
Application or Service Log Type Select None for the Application or Service Log Type.
Standard Log Types Do not enable the check box for any of the log types.

Select No Filtering as the log filter type for the following log types: Security, System, Application, DNS Server, File Replication Service, and Directory Service.

Event Types You must select at least one event type.
XPath Query To forward only Centrify Audit events, you must specify the XPath filter. The query is in XML format and can be created by using Custom View Properties of Microsoft Event Viewer.

For more information about creating an XPath query, go to the Creating a custom view documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.wincollect.doc/t_ug_wincollect_creating_customview.html).

Important: When you create the custom view, ensure that the By Source option is selected. From the Event sources list, select the application name of the Centrify Audit Events.

Example XPath query:

<QueryList>
<Query Id="0" Path="Application">
<SelectPath="Application">*[System
[Provider[@Name='Centrify AuditTrail 
V2']]]</Select>
</Query>
</QueryList>
Enable Active Directory Lookups Do not select the check box.
WinCollectAgent Select your WinCollect agent from the list.
Target Internal Destination Use any managed host with an event processor component as an internal destination.

For more information about WinCollect log source parameters, go to the Common WinCollect log source parameters documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/en/SS42VS_SHR/com.ibm.wincollect.doc/r_ug_wincollect_comon_parameters.html).