Question & Answer
Question
WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to QRadar. When WinCollect polls for events, it reads events from fields in the Windows Event Viewer or log files to create a Syslog payload. This article discusses a common question from administrators, "What are the Syslog fields with Windows data in WinCollect Syslog event?
Answer
Administrators who want to compare the fields collected by WinCollect to the data in the Event Viewer can search for an event in QRadar, then compare the value to the Windows Event Viewer by using the RecordNumber field.
Example of the General tab from an event in the Windows Event Viewer
Detailed view in XML of the same event
Example of the General tab from an event in the Windows Event Viewer
Detailed view in XML of the same event
Example Syslog event in QRadar
Win-ABCDEFG AgentDevice=WindowsLog AgentLogFile=System
PluginVersion=WC.MSEVEN6.X.X.X Source=Microsoft-Windows-WindowsUpdateClient
Computer=Win-ABCDEFG OriginatingComputer=Win-ABCDEFG User=SYSTEM Domain=NT
AUTHORITY EventID=43 EventIDCode=43 EventType=4 EventCategory=1
RecordNumber=69543 TimeGenerated=1687262283 TimeWritten=1687262283
Level=Informational Keywords=install,started Task=Agent Opcode=13
Message=Installation Started: Windows has started installing the following
update: Windows Malicious Software Removal Tool x64 - v5.114 (KB890830)
Note: This Syslog payload is an example. Depending on the type event and version of Windows, your payloads might be different.
In these examples, the payload represents an event as name=value pairs that are tab separated. The following table provides basic descriptions for the named field for the Windows events.
In these examples, the payload represents an event as name=value pairs that are tab separated. The following table provides basic descriptions for the named field for the Windows events.
Parameter | Description |
AgentDevice | The event log where the agent is gathering the events. The most common value in this field is WindowsLog. For example,
|
AgentLogFile |
The AgentLogFile field defines the channel in the Event Viewer or log file being parsed by WinCollect to create the event payloads. Values in this field represent the source in Windows Event viewer, such as a channel name, or channel and sub-folder, or the name of the log file. For example,
|
AgentLogFormat | For flat files, such as logs not in the Event Viewer, this field defines the format of the events, such as W3C. |
PluginVersion | The PluginVersion field defines the version of the agent that is sending the event. For this is MSEVEN6 and the version 10.1.2.2. In older versions of WinCollect, the version might be represented as 7.3.1-28. |
Source | The source of the event. In this case, the event is from Microsoft Windows Security Auditing this belongs to the Security Channel. For example,
|
Computer | The computer or source device that generated the event. |
OriginatingComputer | The IP or hostname of the device that originated the event. If an event does not include an IP address or hostname, such as the Computer field, the DSM falls back to the OriginatingComputer or hostname in the Syslog header to set the Source IP address. |
EventID and EventIDCode | The EventID of the event generated, there are two fields because some special Windows events had a different EventIDCode. |
EventCategory | The ID of the category that belongs the event. Some events do not include this parameter. |
RecordNumber | The unique ID is a sequential number for the event generated on the Windows device in the Event Viewer. |
Time Generated | The timestamp of the time where the record was created. |
Time Written | The time where the event was logged. |
Level | The Level of the event represents the severity of the recorded event log. These include information, error, verbose, warning, and critical. |
Keyword | Defines the standard keywords that are attached to events by the event provider. |
Task | The action performed that was logged in the event. |
Message | Contains a text description of the event. |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 June 2023
UID
ibm17003773