Question & Answer
Question
Answer
Administrators who want to install WinCollect in stand-alone / unmanaged mode should use the latest WinCollect installer, which includes new options for stand-alone mode. For more information, see the WinCollect 7.2.8 patch 2 Release Notes.
'Stand-alone' or 'unmanaged' mode is a term used to describe WinCollect installations where the management connection between the WinCollect agents and the QRadar appliance is intentionally not connected to the QRadar appliance. This means that there is no requirement for administrators to open port TCP/8413 bi-directional from the agent to the QRadar appliance and no authorized service tokens are required as WinCollect acts as a standalone Syslog forwarder for Windows events. The most common installation scenario for stand-alone mode is where automation is used to deploy large numbers of WinCollect agents in a 1-to-1 installation ratio. By 1-to-1, we mean that for every Windows host there is an agent installed locally, collecting events, and forwarding Syslog events over TCP or UDP port 514. Unmanaged WinCollect agents can be used to remotely poll Windows systems for their events and can also receive Forwarded Events from Microsoft Subscriptions and forward on the information to QRadar.
Process overview
This section is a general overview of the steps required to install WinCollect 7.2.x (latest) in unmanaged mode. Each check box below has a corresponding section with detailed instructions to assist the administrator.
- Step 1: Software Downloads
- Step 2: Port Requirements
- Step 3: Installing the WinCollect Agent EXE on the Windows Host (Command-line instructions)
- Step 4: Installing the WinCollect Stand-alone Patch Installer on the Windows host
- Step 5: Configuring a Local System Log Sources
- Step 6: Verifying that Windows Events are Received
Step 1: Software Downloads
To parse Windows events in unmanaged mode, the following software can be downloaded. This link will download all required files:
- For QRadar 7.3.x, use this link to download all required software.
- For QRadar 7.2.x, use this link to download all required software.
- Windows Event Log DSM. (No download required).
This RPM is delivered and installed from QRadar Weekly Auto Updates and should be installed by default on the QRadar Console. If your Console does not have access to the Internet to receive weekly auto updates, administrators can download and manually install the weekly auto update bundle to get the latest parsing and event categorizations for QRadar.
Step 2: Port Requirements
Before any software is installed, the following ports must be opened and the QRadar deployment must be upgraded to meet the minimum software requirements. The connections listed below are all initiated by the WinCollect agent If an administrator is going to remotely poll for Windows events using an unmanaged WinCollect agents, then certain Microsoft ports must be opened between the Windows host with WinCollect and the Windows system the administrator is polling for events.
The only required port for Local System log sources is the Syslog port. This port must be open outbound from the Windows server hosting the WinCollect agent and forwarding events and the QRadar appliance receiving the events.
Port requirements (Local System log source 1-to-1)
In stand-alone or unmanaged WinCollect agent installations do not require the management port on TCP/8413 to be opened. However, administrators still need to configure a Syslog destination to send events. Destinations can be configured to sent to QRadar using Syslog or TLS Syslog.
- Syslog: TCP/514 or UDP/514
- TLS Syslog: TCP/6514
Port requirements for remote polling (polling other Windows hosts for their events)
- 135 TCP Microsoft Endpoint Mapper
- 137 UDP NetBIOS name service
- 138 UDP NetBIOS datagram service
- 139 TCP NetBIOS session service
- 445 TCP Microsoft Directory Services for file transfers that use Windows share
- 49152-65535 Default dynamic port range
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535. To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows server that is being polled:
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
Step 3: Installing the WinCollect Agent EXE on the Windows host
The next step in the process is to install the WinCollect Agent (EXE) on the Windows host using the command line installer. The procedure below covers the basic installation process. However, to complete a stand-alone install that includes XPath, event filtering, or other special configuration parameters, see the WinCollect expert blogs: http://ibm.biz/wincollect101.
- Copy the WinCollect Agent (32-bit or 64-bit) EXE to the Windows host.
- If the Services window is open on the Windows host, close it to prevent failure of the WinCollect agent installation.
- Click Start > All Programs > Accessories.
- Right-click on the Command prompt, and select Run as administrator
- Customize the following installation command to install the WinCollect agent in unmanaged mode. The following example outlines the minimum installation parameters:
AGENT_xxxx_WinCollect-7.2.x-<WinCollect_Version>-setup.exe /s /v" /qn HOSTNAME=%COMPUTERNAME% STATUSSERVER="QRadar IP Address"
NOTE: For advanced installation options and log source parameters, see the WinCollect expert blogs: http://ibm.biz/wincollect101
- STATUSSERVER - This value should contain the IP address of a QRadar Event Collector, Event Processor, or Console appliance. When a WinCollect agent experiences issues or needs to alert an administrator to an error condition, the agent generates status events over Syslog in LEEF format. The STATUSSERVER field defines where the agent needs to send the error condition Syslog messages.
- HOSTNAME - This value defines what agent is forwarding events. In most cases, administrators should use either an IP address or the host name of the Windows system. This parameter supports Windows variables, such as %COMPUTERNAME%. The @ symbol is not supported, if your computer name contains at @ symbol, then an IP or host name should be used.
- INSTALLDIR - Optional parameter. If left blank, this value will install to the C:\Program Files\IBM\WinCollect\ or C:\Program Files(x86)\IBM\WinCollect\ directory. If the administrator wants to populate this field, the path should include quotes, for example: INSTALLDIR="C:\IBM\WinCollect".
- The WinCollect Agent EXE is installed on the Windows host and the WinCollect service is started. The next step is to install the WinCollect Configuration Console on the Windows host.
Step 4: Installing the WinCollect Stand-alone Patch Installer on a Windows host
The next step in the process is to install the WinCollect Configuration Console on the Windows host using the command line installer. This procedure covers the basic installation for stand-alone WinCollect
Before you begin
Ensure that the following applications are installed on the Microsoft Windows system:
- Microsoft .NET Framework 3.5
- Microsoft Management Console 3.0
- WinCollect Agent 7.2.x (32-bit or 64-bit)
Installations supported
You can install a WinCollect Configuration Console on the following 32-bit and 64-bit Windows operating systems:
- Windows Server 2019 (most recent, including core)
- Windows Server 2016 (most recent, including core)
- Windows Server 2012 (most recent, including core)
- Windows Server 2008 (most recent, including core)
- Windows 10
- Windows 8
- Windows 7
Procedure
- Copy the WinCollect Stand-alone Patch Installer to the Windows host.
- To install the WinCollect Stand-alone Patch Installer, double-click on
WinCollect_standalone_patch_installer-<WinCollect_Version>.exe or use the silent install option: WinCollect_standalone_patch_Installer-<WinCollect_Version>.exe /s /v" /qn"
Note: This command only installs the software, it cannot be used at this time to configure a log source automatically. Steps 3-8 can be ignored if you used the silent install option.
- If you are not on the latest WinCollect version, click Yes to confirm the upgrade text.
Note: Administrators only see this prompt when they are not on WinCollect agent version 7.2.2-2. To halt the installation and prevent your WinCollect agents from being updated to WinCollect agent version 7.2.2-2, click No.
- Click I accept the terms in the license agreement to continue the installation.
- Type a User Name and Organization for the installer and click Next.
- Select the features to install and click Next.
By default, both the WinCollect Patch to upgrade the agent software and the WinCollect Configuration Console are selected to be installed:
- Click Install to continue.
- Click Finish to complete the installation.
Results
The software is installed based on the selected options. If the administrators installed the WinCollect Configuration Console, then they can launch the software from the Start Menu > All Programs > IBM > WinCollect Configuration Console. The administrator can use the WinCollect Configuration Console to edit or configure new log sources for the unmanaged WinCollect agent.
Step 5: Configuring a Local System Log Source in the User Interface
To create a local system log source, the user must first create a destination for the Syslog events, then create a log source by adding a device. If the user created a log source during the installation, this
Procedure
- To launch the application, select Start > All Programs > IBM > WinCollect Console > WinCollect Configuration Console.
- Expand Destinations.
- Right-click on Syslog TCP or Syslog UDP and select Add New Destination.
- Type a New Destination Name and click OK. The destination name should include a description and it is helpful to have the destination IP address in the name. For example, "UDPdest_10.10.10.8" or "TCP_QRadarEP2_192.10.1.2".
- Select the new destination and configure the properties.
- In the Hostname field, type the IP address of a QRadar Event Processor or the QRadar Console. You are now ready to configure the log source.
- Expand Devices.
- Right-click on Microsoft Windows Event Log and select Add New Device.
- Type a name for the log source and click OK.
- In the Device Address field, type the IP address or hostname of the Windows system where the WinCollect agent is installed.
An IP address is recommended in most cases, unless IP addresses are not static in your environment, in those scenarios a hostname should be defined in FQDN format, such as: host1.test.example.com. For example, my Windows system is IP address is 10.10.1.102. To collect the local events for my Windows system, the configuration requires the IP address of my Windows host where the WinCollect agent is installed. A screen capture of this is provided below:
Figure 1: An example of local event collection. In this example, the Device Address field must be configured to the IP address or host name of the system you want to collect events from.
- Click the Local System check box. This action makes the Username and Password fields uneditable by design.
- From the Application of Service Log Type list, select None. This field is used to parse Hyper-V events, which Microsoft writes to the application log.
- Configure the log types to be collected.
Note: By default, only the Security log is selected. Most administrators will want to enable System and Application for endpoints. For servers, DSN Server, File Replication, and Directory Service logs can also be collected.
- Leave the Forwarded Events check box blank. This field is only used when Microsoft Event Subscriptions are enabled by the Windows administrator.
- Configure the event severity to be collected.
- Configure any Exclusion filters that you require to prevent certain events from being sent to QRadar. For more information on this parameter, see http://www.ibm.com/support/docview.wss?uid=swg21672656.
- Leave the XPath Query field blank. This value is only used when the log type check boxes are blank. If an XPath Query is used, the query overrides the check boxes selected for the event log types.
- Select the Enable Active Directory Lookup check box. For more information on the checkbox, see http://www.ibm.com/support/docview.wss?uid=ibm10880575
- In the Destinations list, click Add and select an existing destination. Note: Multiple destinations can be added to a single log source.
- From the Actions menu, click Deploy Changes.
Results
After the WinCollect Configuration Console deploy completes, the WinCollect agent will start forwarding Syslog events to the QRadar appliance.
Step 6: Verify Windows Events are Received
After WinCollect starts to forward Syslog events, the events will initially be identified with an Event Name of "Unknown Event Log" and sorted by the log source of "SIM Generic Log DSM". It typically takes ~30 events for QRadar to discover the Windows events and create a log source. After the log source is identified and created, the logs will show up as "Microsoft Windows Security Event Logs".
To locate unparsed events:
- Click the Log Activity tab.
- Click Add Filter.
- Select Event is Unparsed equals true.
- Click Add Filter.
- Select Log Source [Indexed] equals Other and select SIM Generic Log.|
Figure 2: These are unparsed Windows events before traffic analysis has identified the log source type. Unknown events are expected until QRadar traffic analysis has identified the event source.
IMPORTANT: If the QRadar system fails to identify the Windows events, administrators must ensure that they have the latest version of the Microsoft Windows Security Event Log DSM. This DSM is provided through QRadar automatic updates. If an administrator does not have automatic updated enabled, then the Microsoft Windows Security Event Log DSM can be downloaded from IBM Fix Central and installed on the Console. The Console then replicates the parsing update to all managed hosts in the QRadar deployment.
To locate Windows events:
After traffic analysis has identified the log source as Windows. Administrators should see the events identified as WindowsAuthServer @ IP or hostname.
- Click the Log Activity tab.
- Click Add Filter.
- Select Log Source [Indexed] equals Other and select Microsoft Windows Security Event Log.
Figure 3: An example of a filter to display Windows events.
The filter should return WindowsAuthServer events.
Figure 4: The image shows the results of the filter. These are Windows events that are properly parsed after traffic analysis has identified the log source type.
Was this topic helpful?
Document Information
Modified date:
13 April 2020
UID
swg21698381