IBM Support

QRadar - How to setup WinCollect to send events over TLS (example)

How To


Summary

How to create a TLS connection between WinCollect and QRadar®.

Steps

Important: TLS Syslog is only supported in QRadar 7.3.1 and later for Managed WinCollect agents. Source: https://www.ibm.com/docs/en/qsip/7.5?topic=console-sending-encrypted-events-qradar. This article gives an example how it might work.
MANAGED AGENT
  1. Create a Destination in Admin> WinCollect> Destinations.
  2. Enter a name without spaces or special characters.
  3. Enter either an FQDN, a hostname, or the IP address of your QRadar host where you intend to ingest the events from WinCollect.
  4. Enter a port number - 6514 is the default TLS Syslog port.
  5. Copy and paste in the TLS certificate, which is used for encrypting the events into the "Certificate" field. The certificate must be in Base64 PEM format. (If your certificate is a self-signed or a corporate Internal CA signed certificate, then you need to add the Root CA and Intermediate CA certs to /etc/pki/ca-trust/source/anchors/ and run "update-ca-trust".)
    Example: For testing purposes, you can use the default cert in /opt/qradar/conf/trusted_certificates/syslog-tls.cert from the QRadar host where you ingest the events on.
  6. Save the destination.
    Image 1: WinCollect Destination configuration
image-20220406162036-1
The Destination is practically the same as your Target Event Collector - or - destination for the events, and also, the TLS certificate is automatically sent to the Windows host where the WinCollect agent is installed. The certificate resides in the config folder.
Image 2: Config folder contents
image-20220406165247-3
The Gateway Log Source
  1. Create a "TLS Gateway" log source for ingesting the encrypted events from the WinCollect agent. If you don't have one, create one with log source type Universal DSM and protocol TLS Syslog. The only purpose for this log source is to open a port for traffic (default: 6514). No events are associated with this log source, so you will not see this log source mentioned in Log Activity.
  2. The Target Event Collector is set to the QRadar host where you intend to ingest the events on.
  3. For testing purposes, for Server Certificate Type select "Generate Certificate" because that makes the log source present the same "syslog-tls.cert" as the cert you pasted into the WinCollect Destination, which you created earlier.
    For nontesting purposes, Select PEM Certificate and Private Key - or - PKCS12 Certificate Chain and Password, depending on what type of certificate you have. Enter the absolute paths to the cert and private key - or to the P12 truststore, and the export password for the P12 truststore.

    Image 3: Gateway log source
    image-20220408142317-1
    Example scenarios - "I have a..."
    Self-signed cert
    Signed, custom cert
    Log source uses: syslog-tls.cert
    WinCollect Destination uses: syslog-tls.cert
    This is the "Generate certificate" option.
    Log source uses: internally_signed.cert
    WC Destination uses: internally_signed.cert OR intermediate.cert
    Note: this assumes that the Root CA cert to the Intermediate CA is already imported to the Windows host.
    Log source uses: my_selfsigned.cert
    WinCollect Destination uses: my_selfsigned.cert
    Log source uses: externally_signed.cert
    WC Destination uses: Root CA cert
  4. For a "gateway" type log source, the Log Source Identifier field does not matter. Any arbitrary string suffices, for example "tlsgateway_ec_6514". 
  5. Make also sure that you enable Use As A Gateway Log Source, this enables Traffic Analysis, and any Windows Security Events are auto-discovered into separate log sources.
  6. Save and deploy the log source before you try to run the Test, as the port is not open until you do.
  7. The test result warns you for self-signed or Internal CA signed certificates, but the SSL handshake is usually successful.
If there is a problem with the certificate or with the Private key, the port will not open.
If you run into a scenario where you have the correct cert and private key configured, but the test keeps failing, you might be affected by this APAR: IJ25789: TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED, but there's an easy workaround - rename the cert file, adjust the path and file name in the log source configuration, save, and try again.
 
If you have made changes to the log source configuration, but the changes don't seem to take effect, you can try:
  • Toggle the log source
  • Restart ecs-ec-ingress from the Command-Line Interface (CLI) on the QRadar host where you want to ingest the events:
    systemctl restart ecs-ec-ingress
  • Or Restart Event Collection Services from the Admin> Advanced in QRadar graphical user interface (GUI).
The Microsoft® Windows® Security Event log sources
Depending on, whether you created these by using the Windows command-line installation process, or in the QRadar GUI, you can modify the log sources at any time.
  1. The "Windows log sources" are log source type The Microsoft Windows Security Event and use WinCollect as Protocol.
  2. In the log source configuration, you need to select Target Destination to be the WinCollect Destination, which you created earlier, where you pasted in the TLS certificate.
    If you can't find it in the list of Target External Destinations, check in the Target Internal Destinations. In general, if the host is found in the /etc/hosts file, it will be considered "Internal".
    Image 4: Log source destinations
    image-20220406164641-2
  3. When the WinCollect agent updates its log source configuration, you can see that there is a second certificate in the config folder named "TLS_Cert_<ipAddress>.PEM". You can also check the WinCollect log for read and send activity to make sure the agent is working.
    Example log output with Code category in Debug:
    04-06 16:54:14.428 DEBUG Code.StoreAndForwardIncoming._My_TLS_destination : Processing accepted for new message block (1 records)
    For more information about WinCollect debug, see technote: QRadar®: How to enable Debug logging for WinCollect

STAND-ALONE AGENT
  1. Create a Destination in WinCollect Configuration Console> Destinations> Syslog TCP.
  2. Enter either an FQDN, a hostname, or the IP address of your QRadar host where you intend to ingest the events from WinCollect.
  3. Enter a port number - 6514 is the default TLS Syslog port.
  4. Copy and paste in the TLS certificate which is used for encrypting the events into the "Certificate" field. The certificate must be in Base64 PEM format.
Image 5: Destination in WinCollect 7.3x, stand-alone
Wincollect destination
Image 6: WinCollect 10 Destination (stand-alone)
WC10 destination
Note: If your certificate is a Public CA signed, or a corporate Internal CA signed certificate, then you might need to import the Root CA and Intermediate CA certs to the Windows hosts as well. Discuss with your Windows System Administrator and your PKI Administrator in case that you are unsure.

This will be the destination for the events, the WinCollect agent updates the AgentConfig.xml file and saves the TLS certificate to the Windows host where the WinCollect agent is installed. The certificates reside in the config folder.
Image 7: Config folder contents
config folder contents
The Gateway Log Source
See section under "Managed agent". This log source configuration is the same.
The Microsoft Windows Security Event log sources
Depending on, whether you created the log sources in the Windows command-line installation process, or in the WinCollect Configuration Console, you can modify them at any time.

Select your "TLS" destination, which you created earlier, and click Deploy Changes in the pane on the right. (WC-10: Apply Changes from the bell icon, upper right.)
On the QRadar side: The only difference with a stand-alone and a managed WinCollect is that the Windows log sources are auto-discovered as respective log source type, using Syslog as protocol (instead of the WinCollect protocol).

Additional Information

QRoC and TLS Syslog log sources on the Console:
TLS Syslog certificates used on a QRoC Console are Public CA signed certificates for compliancy reasons, and are created by IBM DevOps.
If your WinCollect agent is sending traffic to a Data Gateway, then the requirements are dictated by your corporate security policies.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
26 May 2022

UID

ibm16539510