Windows event subscriptions for WinCollect agents
To provide events to a single WinCollect agent, you can use Windows event subscriptions to forward events. When event subscriptions are configured, numerous Windows hosts can forward their events to IBM® Security QRadar® without needing administrator credentials.
Forwarded events
The configuration of the event subscription on the remote host that sends the events defines the events that are collected. Regardless of what event log check boxes are selected for the log source, WinCollect forwards all events that are sent by the subscription configuration.
Forwarded events are displayed as Windows Auth @
<hostname>
or <FQDN>
in
the Log Activity tab. Conversely, locally or remotely collected events appear
as Windows Auth @ <IP address>
or
<hostname>
. When WinCollect processes an event, it includes an extra
syslog header that identifies the event as a WinCollect event. Because the forwarded event is a
pass-through or listener, forwarded events don't include the WinCollect identifier and appear as standard events.
Supported software environments
- Windows 10 (most recent)
- Windows Server 2016 (including Core)
- Windows Server 2019 (including Core)
- Windows Server 2022 (including Core)
For more information about event subscriptions, see your Microsoft documentation or the Microsoft technical website (http://technet.microsoft.com/en-us/library/cc749183.aspx).
Troubleshooting event collection
Microsoft event subscriptions don't have an alert mechanism to indicate when an event source stopped sending events. If a subscription fails between the two Windows systems, the subscription appears active, but the service that is responsible for the subscription can be in an error state. With WinCollect, the remotely polled or local log sources can time out when events are not received within 720 minutes (12 hours).