Windows event subscriptions for WinCollect agents

To provide events to a single WinCollect agent, you can use Windows event subscriptions to forward events. When event subscriptions are configured, numerous Windows hosts can forward their events to IBM® Security QRadar® without needing administrator credentials.

Forwarded events

The configuration of the event subscription on the remote host that sends the events defines the events that are collected. Regardless of what event log check boxes are selected for the log source, WinCollect forwards all events that are sent by the subscription configuration.

Windows event subscriptions, or forwarded events, are not considered local or remote, but are event listeners. Use the WinCollect Forwarded Events check box to enable the WinCollect log source to identify Windows event subscriptions. Although the WinCollect agent displays only a single log source in the user interface, the log source listens and processes events for potentially hundreds of event subscriptions. One log source in the agent list is for all event subscriptions. The agent recognizes the event from the subscription, processes the content, and then sends the syslog event to QRadar.
Note: Forwarded events can be collected with the Forwarded Events checkbox only. An XPATH cannot be used.

Forwarded events are displayed as Windows Auth @ <hostname> or <FQDN> in the Log Activity tab. Conversely, locally or remotely collected events appear as Windows Auth @ <IP address> or <hostname>. When WinCollect processes an event, it includes an extra syslog header that identifies the event as a WinCollect event. Because the forwarded event is a pass-through or listener, forwarded events don't include the WinCollect identifier and appear as standard events.

Important: WinCollect collects only those forwarded events that appear in the Windows Event Viewer.

Supported software environments

Event subscriptions apply only to WinCollect agents and hosts that are configured on the following Windows operating systems:
  • Windows 10 (most recent)
  • Windows Server 2016 (including Core)
  • Windows Server 2019 (including Core)
  • Windows Server 2022 (including Core)
Important: WinCollect is not supported on versions of Windows that are designated end-of-life by Microsoft. After the software is beyond the Extended Support End Date, the product might still function as expected. However, IBM does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For example, Microsoft Windows Server 2003 R2 and Microsoft Windows XP are operating systems that are beyond the "Extended Support End Date." Any questions about this announcement can be discussed in the IBM QRadar Collecting Windows Events (WMI/ALE/WinCollect) forum. For more information, see https://support.microsoft.com/en-us/lifecycle/search (https://support.microsoft.com/en-us/lifecycle/search).

For more information about event subscriptions, see your Microsoft documentation or the Microsoft technical website (http://technet.microsoft.com/en-us/library/cc749183.aspx).

Troubleshooting event collection

Microsoft event subscriptions don't have an alert mechanism to indicate when an event source stopped sending events. If a subscription fails between the two Windows systems, the subscription appears active, but the service that is responsible for the subscription can be in an error state. With WinCollect, the remotely polled or local log sources can time out when events are not received within 720 minutes (12 hours).