IBM Support

WinCollect: What fields are included in the payload when WinCollect creates and forwards a Syslog event?

Question & Answer


Question

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to QRadar. When WinCollect polls for events, it reads events from fields in the Windows Event Viewer or log files to create a Syslog payload. This article discusses a common question from administrators, "What are the Syslog fields with Windows data in WinCollect Syslog event?

Answer

Administrators who want to compare the fields collected by WinCollect to the data in the Event Viewer can search for an event in QRadar, then compare the value to the Windows Event Viewer by using the RecordNumber field.

Example of the General tab from an event in the Windows Event Viewer
image-20230628092159-2

Detailed view in XML of the same event
image-20230628092449-3
Example Syslog event in QRadar
Win-ABCDEFG AgentDevice=WindowsLog	AgentLogFile=System	
PluginVersion=WC.MSEVEN6.X.X.X	Source=Microsoft-Windows-WindowsUpdateClient	
Computer=Win-ABCDEFG OriginatingComputer=Win-ABCDEFG	User=SYSTEM	Domain=NT 
AUTHORITY	EventID=43	EventIDCode=43	EventType=4	EventCategory=1	
RecordNumber=69543	TimeGenerated=1687262283	TimeWritten=1687262283	
Level=Informational	Keywords=install,started	Task=Agent	Opcode=13	
Message=Installation Started: Windows has started installing the following 
update: Windows Malicious Software Removal Tool x64 - v5.114 (KB890830)
Note: This Syslog payload is an example. Depending on the type event and version of Windows, your payloads might be different.


In these examples, the payload represents an event as name=value pairs that are tab separated. The following table provides basic descriptions for the named field for the Windows events.
Parameter Description
AgentDevice The event log where the agent is gathering the events. The most common value in this field is WindowsLog. For example, 
  • WindowsLog
  • WindowsExchange
  • WindowsDHCP
  • WindowsDNS
  • WindowsISA
  • MSIIS
  • MSSQL
  • FileForwarder
  • JuniperSBR
  • NetApp
AgentLogFile
The AgentLogFile field defines the channel in the Event Viewer or log file being parsed by WinCollect to create the event payloads. Values in this field represent the source in Windows Event viewer, such as a channel name, or channel and sub-folder, or the name of the log file. For example,
  • Security
  • System
  • Application
  • dns.log
  • Microsoft-Windows-Sysmon/Operational
  • DhcpSrvLog-Fri.log
  • Microsoft-IIS-Logging/Logs
  • MSGTRKMS2023062007-1.LOG (Exchange Message Track)
  • Microsoft-Windows-Hyper-V-Worker-Admin
AgentLogFormat For flat files, such as logs not in the Event Viewer, this field defines the format of the events, such as W3C.
PluginVersion The PluginVersion field defines the version of the agent that is sending the event. For this is MSEVEN6 and the version 10.1.2.2. In older versions of WinCollect, the version might be represented as 7.3.1-28.
Source The source of the event. In this case, the event is from Microsoft Windows Security Auditing this belongs to the Security Channel. For example,
  • Security
  • Microsoft-Windows-Security-Auditing
  • MSSQLSERVER$AUDIT
  • Backup
Computer The computer or source device that generated the event.
OriginatingComputer The IP or hostname of the device that originated the event. If an event does not include an IP address or hostname, such as the Computer field, the DSM falls back to the OriginatingComputer or hostname in the Syslog header to set the Source IP address. 
EventID and EventIDCode The EventID of the event generated, there are two fields because some special Windows events had a different EventIDCode.
EventCategory The ID of the category that belongs the event. Some events do not include this parameter.
RecordNumber The unique ID is a sequential number for the event generated on the Windows device in the Event Viewer.
Time Generated The timestamp of the time where the record was created.
Time Written The time where the event was logged.
Level The Level of the event represents the severity of the recorded event log. These include information, error, verbose, warning, and critical. 
Keyword Defines the standard keywords that are attached to events by the event provider.
Task The action performed that was logged in the event.
Message Contains a text description of the event.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 June 2023

UID

ibm17003773