IBM Support

WinCollect: How to configure a TLS syslog log source with a managed WinCollect agent

How To


Summary

This technical note walks administrators through the process of configuring managed WinCollect 7.x agents to use TLS Syslog.

Environment

QRadar 7.3.1 and later for Managed WinCollect agents

Steps

Important: While users can complete this procedure with either the default self-signed syslog-tls.cert or a custom certificate, using the syslog-tls.cert is not recommended for production environments  because it does not provide the security that a custom certificate does.

1. Get the event collector certificate

This certificate is used by the TLS WinCollect destination.
  1. SSH into the QRadar console.
  2. Optional. If are not using the console as the event collector, SSH into the QRadar host that serves as your event collector .
  3. Navigate to the /opt/qradar/conf/trusted_certificates/ directory.
    cd  /opt/qradar/conf/trusted_certificates/
  4. Identify the certificate that you intend to use. The default syslog-tls.cert is stored in this directory, but it is not recommended to use a self-signed wildcard certificate such as that. For instructions on how to create a custom certificate, see the following technical note.
    Note: The certificate must be in Base64 PEM format so that it can be copy and pasted later.
    Note: If you create a self-signed or a corporate Internal CA signed certificate to use, then you must add the Root CA and Intermediate CA certs to /etc/pki/ca-trust/source/anchors/ and run "update-ca-trust".
  5. Copy the certificate output. To retrieve the syslog-tls cert as a text output, enter the following command:
    cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert
     Example certificate:
    -----BEGIN CERTIFICATE----- 
    MIIDITCCAgmgAwIBAgIJAJE75wCvG18TMA0GCSqGSIb3DQEBDQUAMCcxCjAIBgNV
    BAMMASoxGTAXBgNVBAoMEFN5c2xvZ1RMU19TZXJ2ZXIwHhcNMjIwMTA1MjMwMjIw
    WhcNMzIwMTAzMjMwMjIwWjAnMQowCAYDVQQDDAEqMRkwFwYDVQQKDBBTeXNsb2dU                         
                             <...> 
    Ae7EMb4dvyPZxIsH8dyTtyyNErUaSmN9XRAHnlyoGy8EuFaPl1Owi6X1W+DvsB6j
    wcfrCSwsLzRq1IG6NNoPEeL0WU66t+VxtVliJlaaUbNVEtGeHL/WE36DSNsNEghc
    Wjv+dhZwymSQgjP+mUpscceLpgbcxhtT4Gj/iw/wbTDsR12345== 
    -----END CERTIFICATE-----
    Note: You must capture the "-----BEGIN CERTIFICATE-----" and the "-----END CERTIFICATE-----" values without extra spaces at the end.

    Results
    With this certificate, administrators can create their WinCollect TLS Syslog (encrypted) destination.

2. Add a TLS WinCollect destination

This destination is used by the WinCollect agent to forward the events to a TLS port.

  1. Log in to the QRadar user interface.
  2. Click the Admin tab.
  3. Click the WinCollect icon.
  4. Select Destinations and click Add.
    image-20230301153130-1
  5. Configure the following parameters:
    • Name: Type an identifiable name for your destination. It cannot contain spaces or special characters.
    • Host Name: Enter either an FQDN, hostname, or the IP address of your QRadar host where you intend to ingest the events.
    • Port: Enter a port number. The default TLS Syslog port number is 6514, but whatever you choose, note it down for later.
    • Protocol: Select TCP/TLS (Encrypted).
    • Certificate: Paste the that certificate you retrieved earlier.
      image-20230301153512-2
       
  6. Save the WinCollect destination.

    Results
    The TLS certificate is automatically sent to the Windows host where the WinCollect agent is installed. The certificate resides in the config folder, and managed WinCollect agent updates are sent based on the Configuration Polling Interval.

3. Add the WinCollect log source

This log source sends the information to the WinCollect agent about what to monitor and where to send the events.
  1. Log in to the QRadar user interface.
  2. Click the Admin tab. 
  3. Click the Log Sources icon.
  4. Click + New Log Source.
  5. In Select a Log Source type, select the Microsoft Windows Security Event Log log source type.
  6. In the Protocol Type field, select WinCollect.
  7. Configure the following log source parameters:
    • Name - Add a log source name. If the log source is local, then the information put here is assigned as the hostname on the Windows events.
    • Target Internal Destination - Select your TLS destination.
  8. Click Configure Protocol Parameters.
  9. In the Configure the protocol parameters section, enter the information to collect the Windows logs needed by the admin including the WinCollect agent. Click Finish when done.
Note: The last event information for this log source is always empty as the events are received on the TLS syslog log source.

4. Create the TLS log source

This log source opens a port in the selected event collector to receive the Windows events by using the TLS protocol.

  1. Log in to the QRadar user interface.
  2. Click the Admin tab. 
  3. Click the Log Sources icon.
  4. Click + New Log Source.
  5. In Select a Log Source type, select the Universal DSM log source type.
  6. In Select a protocol type, select TLS syslog.
  7. In the Configure the Log Source parameters section, configure the following parameters:
    • Name - Add a log source name.
    • Target Event Collector - This event collector must be the same one used on the Destination. Remember this is the QRadar host where you intend to ingest the events on, so it can be the console.
  8. Click Configure Protocol Parameters.
  9. Configure the following protocol parameters:
    • Log Source Identifier - Type the IP address or hostname of a remote Windows operating system with the Windows events.
    • TLS Listen Port - The default port for TLS is 6514. This port needs to match the port configured in the Destination.
    • Server Certificate Type
      • If you used syslog-tls.cert for the TLS WinCollect destination, select Generated Certificate.
      • Otherwise, select PEM Certificate and Private Key - or - PKCS12 Certificate Chain and Password (depending on what type of certificate you have). Enter the absolute paths to the cert and private key - or to the P12 truststore, and the export password for the P12 truststore.
    • Use As A Gateway Log Source - Enable this option because it sends the collected events through the QRadar Traffic Analysis Engine to automatically detect the appropriate log source.
    • Log Source Identifier Pattern - Enter the following regex:
      $1=\d{2}:\d{2}:\d{2}\s(.*?)\sAgent
      image-20230301181133-1
  10. Click the Test Protocol Parameters.
  11. In the Test Protocol Parameters section, click Finish. If you use the test tool before deploying the change, it fails because the port is not open yet.
Notes
  • The last event configuration option for this log source is always empty as the Use As A Gateway Log Source option is enabled.
    This configuration makes the log source to receive the events and then put them on the pipeline to go through the QRadar Traffic Analysis Engine to automatically detect the appropriate log source.
  • Because the Use As A Gateway Log Source option is enabled, the port configured can receive events from multiple WinCollect agents.
  • QRadar creates a third log source to process the events as Windows Security logs.
  • If you run into a scenario where you have the correct cert and private key configured, but the test keeps failing, you might be affected by APAR: IJ25789: TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED. To work around this, rename the cert file, adjust the path and file name in the log source configuration, save, then try again.

5. Deploy the changes

  1. Log in to the QRadar user interface.
  2. Click the Admin tab.
  3. Click Deploy Changes.

    Results
    The log source configuration is deployed to QRadar managed hosts. The WinCollect agent sends the events by using the TLS syslog protocol (encrypted). You can verify that events are received by viewing the Log Activity tab or looking for the last event received time in the Log Source Management app.

Troubleshooting

If you made changes to the log source configuration, but the changes don't seem to take effect, try the following:
  • Toggle the log source
  • Restart ecs-ec-ingress from the CLI on the QRadar host where you want to ingest the events:
    systemctl restart ecs-ec-ingress
    Note: Event collection is briefly interrupted while the service restarts.

    Results
    If you continue to experience issues, contact QRadar Support for assistance.

Additional Information

QRoC and TLS Syslog log sources on the Console:
TLS Syslog certificates used on a QRoC Console are Public CA signed certificates for compliancy reasons, and are created by IBM DevOps.
If your WinCollect agent is sending traffic to a Data Gateway, then the requirements are dictated by your corporate security policies.

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
24 April 2023

UID

ibm16539510