IBM Support

QRadar: XPath issues and support policies

Question & Answer


This article informs administrators about QRadar® Support policies related to WinCollect XPath queries. XPath queries are a feature in WinCollect, which allows administrators to collect data with XML queries from the Microsoft Event Viewer or filter data retrieved by WinCollect. This document outlines out-of-scope work for XPath query cases and the responsibilities of the QRadar administrator. 


Responsibilities for XPath query issues

Support type Description Responsibility
XPath query configuration and error support
QRadar® Support can assist with error messages or confirm product functionality where a WinCollect agent collects data with an XPath query. For example, QRadar Support can:
  • Review WinCollect logs for errors or explain errors to users. 
  • Confirm data can be retrieved using standard XPath queries on supported Microsoft operating systems. For information on supported operating systems, see the WinCollect Guide.
  • Verify filtering behaves as expected when administrators suppress events using an exclusion filter in the log source configuration.
  • Verify whether there are known issues (APARs) related to XPath queries in the WinCollect version used by the administrator. QRadar Support troubleshoots issues for the two latest versions of WinCollect posted to IBM Fix Central (latest release and latest-1).
QRadar technical support

To open a case or report an XPath query error, contact QRadar technical support.
Out-of-scope for QRadar Support The following activities are considered out-of-scope for technical support. QRadar Support reserves the right to close cases related to the following issues:
  1. XPath query issues where administrators are using older versions of WinCollect. QRadar Support takes cases for the two latest versions of WinCollect (Latest release and latest-1). Support might advise users to upgrade their WinCollect agent and reopen their case to receive support assistance. 
  2. Create or tune XPath queries for administrators.
  3. Provide advice on event filtering as it relates to security posture or security coverage for an organization.
  4. Permission tuning. If a GPO prevents the WinCollect agent from collecting events, support can confirm events are collected with domain admin credentials or enable debug to verify a permissions issue. All other GPO or collection issues are the responsibility of the QRadar administrator or the Windows administrators in your organization. 
  5. Assist with parsing or mapping events from XPath queries where third-party applications or devices create logs in the Event Viewer. The WinCollect Guide provides configuration information for supported event types. Administrators can use the DSM Editor to map or parse events as not all Event Viewer paths are supported by the Microsoft Security Event Log DSM.
For more information, see:

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
11 April 2022