IBM Support

WinCollect: Configure TLS syslog log source with stand-alone WinCollect agents

How To


Summary

This technical note provides guidance on how to set up a TLS syslog log source with a stand-alone WinCollect agent for both versions 7 and 10.

Steps

For the documentation on managed agents, see this technote.
1. Create the destination
Create a Destination in the WinCollect Configuration Console > Destinations > Syslog TCP.
  • Enter either an FQDN, hostname, or the IP address of your QRadar host where you intend to ingest the events from WinCollect.
  • Enter a port number - 6514 is the default TLS Syslog port.
  • Copy and paste in the TLS certificate that is used for encrypting the events into the "Certificate" field. The certificate must be in Base64 PEM format. See the "Get the event collector certificate" section of the managed configuration technote for how to find this cert or create one.
Image: Destination in WinCollect 7.3x
Wincollect destination
Image: WinCollect 10 Destination
WC10 destination
Note: If your certificate is a Public CA signed, or a corporate Internal CA signed certificate, you might need to import the Root CA and Intermediate CA certs to the Windows hosts as well. Discuss with your Windows System Administrator and your PKI Administrator in case that you are unsure.

This cert is for the destination of the events, the WinCollect agent updates the AgentConfig.xml file, and saves the TLS certificate to the Windows host where the WinCollect agent is installed. The certificates reside in the config folder.
Image: Config folder contents
config folder contents
2. Create the Gateway Log Source
Follow the "Create the TLS log source" instructions from the managed WinCollect article.
3. Create the Microsoft Windows Security Event log sources
Depending on whether you created the log sources in the Windows command-line installation process or in the WinCollect Configuration Console, you can modify them at any time.
Select your TLS destination that you created earlier and deploy the changes.
Result
On the QRadar side, the only difference with a stand-alone and a managed WinCollect is that the Windows log sources are auto-discovered. Auto-discovered log sources display Syslog protocol instead of WinCollect protocol.

Additional Information

QRoC and TLS Syslog log sources on the Console:
TLS Syslog certificates used on a QRoC Console are Public CA signed certificates for compliancy reasons, and are created by IBM DevOps.
 
If your WinCollect agent is sending traffic to a Data Gateway, then the requirements are dictated by your corporate security policies.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 January 2024

UID

ibm17051489