WinCollect overview

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to QRadar®. WinCollect can collect events from systems locally or be configured to remotely poll other Windows systems for events.

WinCollect is one of many solutions for Windows event collection. For more information about alternatives to WinCollect, see the IBM® Security QRadar DSM Configuration Guide.

How does WinCollect Work?

WinCollect uses the Windows Event Log API to gather events, and then WinCollect sends the events to QRadar.

Note: Managed deployment is not supported in QRadar on Cloud environments. Customers who use IBM QRadar on Cloud must use stand-alone WinCollect agents.

WinCollect managed deployment

A managed WinCollect deployment has a QRadar appliance that shares information with the WinCollect agent that is installed on the Windows hosts that you want to monitor. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to QRadar.

Note: Managed deployment is not supported in QRadar on Cloud environments. Customers who use IBM QRadar on Cloud must use stand-alone WinCollect agents.

Figure 1. WinCollect managed deployment example

Important:

In a managed deployment, the WinCollect agents that are installed on Windows hosts can be managed by any QRadar Console, Event Collector, or Event Processor.
Managed WinCollect deployments are not supported on QRadar on Cloud.

In a managed deployment, WinCollect is designed to work with up to 500 Windows agents per Console and managed host. For example, if you have a deployment with a Console, an Event Processor, and an Event Collector, each can support up to 500 Windows agents, for a total of 1,500. If you want to monitor more than 500 Windows agents per Console or managed host, use the stand-alone WinCollect deployment.

For more information, see Stand-alone WinCollect Installations.

The managed WinCollect deployment has the following capabilities:

Central management from the QRadar Console or managed host.
Automatic local log source creation at the time of installation.
Event storage to ensure that no events are dropped.
Collects forwarded events from Microsoft Subscriptions.
Filters events by using XPath queries or exclusion filters.
Supports virtual machine installations.
Console can send software updates to remote WinCollect agents without you reinstalling agents in your network.
Forwards events on a set schedule (Store and Forward)

WinCollect stand-alone deployment

If you need to collect Windows events from more than 500 agents, use the stand-alone WinCollect deployment. A stand-alone deployment is a Windows host in unmanaged mode with WinCollect software installed. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to QRadar. To save time when you configure more than 500 Windows agents, you can use a solution such as IBM Endpoint Manager. Automation can help you manage stand-alone instances.

You can also deploy stand-alone WinCollect to consolidate event data on one Windows host, where WinCollect collects events to send to QRadar.

Stand-alone WinCollect mode has the following capabilities:

You can configure each WinCollect agent by using the WinCollect Configuration Console.
You can update WinCollect software with the software update installer.
Event storage to ensure that no events are dropped.
Collects forwarded events from Microsoft Subscriptions.
Filters events by using XPath queries or exclusion filters.
Supports virtual machine installations.
Send events to QRadar using TLS Syslog.
Automatically create a local log source at the time of agent installation.

Capabilities of managed and stand-alone WinCollect deployments

Review the following table to understand which capabilities are available when using managed or stand-alone WinCollect agents.

Table 1. Capabilities of managed WinCollect vs. stand-alone WinCollect
Capability	Managed WinCollect	Stand-alone WinCollect
Central management from the QRadar Console or managed host.	Yes	No
Automatic local log source creation at the time of installation.	Yes	Yes
Event storage to ensure that no events are dropped.	Yes	Yes
Collects forwarded events from Microsoft Subscriptions.	Yes	Yes
Filters events by using XPath queries or exclusion filters.	Yes	Yes
Supports virtual machine installations.	Yes	Yes
QRadar Console can send software updates to WinCollect agents.	Yes	No
Forwards events on a set schedule (Store and Forward).	Yes	No
You can configure each WinCollect agent by using the WinCollect Configuration Console.	No	Yes
You can update WinCollect software with the software update installer.	No	Yes
Available with QRadar on Cloud	No	Yes
Available with on-prem QRadar	Yes	Yes

Setting up a managed WinCollect deployment

For a managed deployment, follow these steps:

Understand the prerequisites for managed WinCollect, which ports to use, what hardware is required, how to upgrade. For more information, see Installation prerequisites for WinCollect.
Install the WinCollect application on the QRadar console. For more information, see Installing and upgrading the WinCollect application on QRadar appliances.
Create an authentication token so that the managed WinCollect agents can exchange data with QRadar appliances. For more information, see Creating an authentication token for WinCollect agents.
Configure a forwarding destination host for the log source data. For more information, see Adding a destination.
Install managed WinCollect agents on the Windows hosts. For more information, see one of the following options:
If you want to configure forwarded events or event subscriptions, see Windows event subscriptions for WinCollect agents.
If you want to use the legacy Log Source UI to bulk add log sources that will be remotely polled by a single WinCollect agent, see Bulk log sources for remote event collection.
Tune your WinCollect log sources. For more information, see the Event Rate Tuning Profile parameter in Windows log source parameters.
If you want a managed WinCollect agent to send events to multiple QRadar destinations in case one fails, see Adding multiple destinations to WinCollect agents.

Setting up a stand-alone WinCollect deployment

For a stand-alone deployment, follow these steps:

Understand the prerequisites for stand-alone WinCollect, which ports to use, what hardware is required, how to upgrade. For more information, see Installation prerequisites for WinCollect.
Install stand-alone WinCollect agents on the Windows hosts. For more information, see Installing the WinCollect agent on a Windows host.
If you want to add new log sources to your agent or modify existing log sources, install the WinCollect stand-alone configuration console. For more information, see Installing the configuration console or Silently installing, upgrading, and uninstalling WinCollect software.
Configure the destination where the Windows hosts send Windows events. For more information, see Adding a destination to the WinCollect Configuration Console.
If you want to use the stand-alone WinCollect agent to collect events from other devices using remote polling, create a credential in the WinCollect stand-alone configuration console, so that WinCollect can log in to the remote devices. For more information, see Creating a WinCollect credential.
If you want to add additional log sources to the stand-alone WinCollect agent, do so using the WinCollect stand-alone configuration console. For more information, see Adding a device to the WinCollect Configuration Console.