Adding log sources in bulk for remote collection

You can add multiple log sources at one time in bulk to IBM® QRadar®. The log sources must share a common configuration protocol and be associated with the same WinCollect agent.

You can upload a text file that contains a list of IP addresses or host names, run a query against a domain controller to get a list of hosts, or manually enter a list of IP addresses or host names by typing them in one at a time.

Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all Windows events from the log source list.

Before you begin

Ensure that you created destinations so that WinCollect agents can send Windows events to QRadar appliances. Ensure that you created one destination for each QRadar Event Collector 16xx or 18xx appliance.

Plan your bulk collection strategy with the WinCollect Event Log Report tool. For more information, see GitHub (https://github.com/ibm-security-intelligence/wincollect).

About this task

You can have a maximum of 500 log sources for each managed WinCollect agent. You must also remain under 5,000 EPS for local collection and 2,500 EPS for remote polling on the WinCollect Agent. You can review the Event Viewer on the Windows systems to determine how many EPS are generated in each hour. Divide that value by 3600 seconds to get the EPS rate. This calculation helps you to plan how many agents you need to install. Alternately, look at events over a 24-hour period to see how busy each Windows server is. This helps determine how to tune agents and avoid minimum and maximum EPS rates that you see only when reviewing hour-by-hour.

Procedure

  1. On the Admin tab navigation menu, click Data Sources, and then click the WinCollect icon.
  2. Select the WinCollect agent that you want to assign log sources to, and click Log Sources.
  3. Click Bulk Actions > Bulk Add.
  4. Provide a name for the bulk log source. To make it easy to locate, specify the name as the WinCollect agent that does remote collection.
  5. From the Log Source Type list box, select Microsoft Windows Security Event Log.
  6. From the Protocol Configuration list box, select WinCollect.
  7. Use the tuning value specified by the WinCollect Event Log Report tool to tune your log sources appropriately.
  8. Select all of the Standard Log Types check boxes. The WinCollect agent reads and forwards these remote logs to QRadar.
    Important: Do not select Forwarded Events the check box. Forwarded events is a special use case. Selecting this option will not add multiple log sources correctly.
  9. Select all of the Event Types check boxes.
  10. Select the Enable Active Directory Lookups check box. This option identifies user names in Windows events that appear as a hexadecimal and resolves them to human readable user names.
  11. From the WinCollect Agent list, select the Windows host that manages the log source.
  12. From the Target Internal Destination list, select the QRadar appliance that receives and processes the Windows events.
  13. Add the IP addresses for the Windows operating systems that you want to remotely poll for events.

    You can upload a text file that contains a list of IP addresses or host names, run a query against a domain controller to get a list of hosts, or manually enter a list of IP addresses or host names by typing them in one at a time.

    Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all Windows events from the log source list.

  14. Click Save and then click Continue.

What to do next

Wait for the configurations to be pushed to the remote agents. Verify in the Log Activity tab that events are received.