You can add multiple log sources at one time in bulk to IBM®
QRadar®. The log sources must
share a common configuration protocol and be associated with the same WinCollect agent.
You can
upload a text file that contains a list of IP addresses or host names,
run a query against a domain controller to get a list of hosts, or
manually enter a list of IP addresses or host names by typing them
in one at a time.
Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all
Windows events from the log source list.
Before you begin
Ensure that you created destinations so that WinCollect agents can send Windows events to QRadar appliances. Ensure that you
created one destination for each QRadar
Event Collector 16xx or 18xx
appliance.Plan your bulk collection strategy with the WinCollect Event Log Report tool. For more
information, see GitHub
(https://github.com/ibm-security-intelligence/wincollect).
About this task
You can have a maximum of 500 log sources for each managed WinCollect agent. You must also remain under
5,000 EPS for local collection and 2,500 EPS for remote polling on the WinCollect Agent. You can review the Event
Viewer on the Windows systems to determine how many EPS are
generated in each hour. Divide that value by 3600 seconds to get the EPS rate. This calculation
helps you to plan how many agents you need to install. Alternately, look at events over a 24-hour
period to see how busy each Windows server is. This helps
determine how to tune agents and avoid minimum and maximum EPS rates that you see only when
reviewing hour-by-hour.
Procedure
- On the Admin tab navigation menu,
click Data Sources, and then click the WinCollect icon.
-
Select the WinCollect agent that you
want to assign log sources to, and click Log Sources.
- Click .
-
Provide a name for the bulk log source. To make it easy to locate, specify the name as the WinCollect agent that does remote collection.
- From the Log Source Type list box,
select Microsoft Windows Security Event Log.
- From the Protocol Configuration list box,
select WinCollect.
-
Use the tuning value specified by the WinCollect Event Log Report tool to tune your
log sources appropriately.
-
Select all of the Standard Log Types check boxes. The WinCollect agent reads and forwards these
remote logs to QRadar.
Important: Do not select Forwarded Events the check box.
Forwarded events is a special use case. Selecting this option will not add multiple log sources
correctly.
- Select all of the Event Types check
boxes.
- Select the Enable Active Directory Lookups check
box. This option identifies user names in Windows events that appear as a hexadecimal
and resolves them to human readable user names.
- From the WinCollect Agent list,
select the Windows host that
manages the log source.
- From the Target Internal Destination list,
select the QRadar appliance
that receives and processes the Windows events.
- Add the IP addresses for the Windows operating systems that you want to
remotely poll for events.
You can upload a text file
that contains a list of IP addresses or host names, run a query against
a domain controller to get a list of hosts, or manually enter a list
of IP addresses or host names by typing them in one at a time.
Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all
Windows events from the log source list.
- Click Save and then click Continue.
What to do next
Wait for the configurations to be pushed to the remote agents.
Verify in the Log Activity tab that events
are received.