IBM Support

WinCollect: Windows Log Source showing default after upgrade

Troubleshooting


Problem

WinCollect log sources may experience issues following a QRadar upgrade. In some cases, they may begin reporting as "WindowsAuthServer @ DEFAULT" instead of the expected hostname where the agent is installed.

Symptom

The behavior observed after the upgrade, which can help confirm that the issue is occurring, may appear as follows:
logsources

Diagnosing The Problem

Note: WinCollect collects only those forwarded events that appear in the Windows Event Viewer.
Forwarded events are displayed as Windows Auth @ <hostname> or <FQDN> in the Log Activity tab. Conversely, locally or remotely collected events appear as Windows Auth @ <IP address> or <hostname>. When WinCollect processes an event, it includes an extra syslog header that identifies the event as a WinCollect event. Because the forwarded event is a pass-through or listener, forwarded events don't include the WinCollect identifier and appear as standard events.
According to the IBM Documentation, "Forwarded Events Identifier", to ensure that all events collected by the agent are grouped under a single source identifier, the WEC parameter must be used in the log source configuration.
  1. Log in to the QRadar console as Administrator
  2. Click the Admin tab
  3. Click on Log Sources
  4. Select the log source that should be collecting those events
  5. Click on the Protocol Tab
  6. Verify the value of the Forwarded Events Identifier. If the value differs from "WEC";  you are experiencing the issue:wec

    Result: The administrator confirms if this behavior is present and continues with the section "Resolving The Problem".

Resolving The Problem

Administrators can change the value using the preferred method, find the next two options:

Option 1: Change the value from the QRadar UI

  1. Log in to the QRadar console as Administrator
  2. Click the Admin tab
  3. Click on Log Sources
  4. Select the log source that should be collecting those events
  5. Click on the Protocol Tab
  6. Change the Forwarded Events Identifier value to "WEC"
  7. Navigate to Log Source Management, locate and disable the log source named WindowsAuthServer @ DEFAULT

Option 2: Change the value through the Windows Command Line

  1. Access the Windows server where the WinCollect agent is installed

  2. Navigate to the following directory:
    C:\Program Files\IBM\Wincollect\config

  3. Open the AgentConfig.xml file and locate the following line:

    <ForwardedEvents.Identifier value="DEFAULT"/>
  4. Modify it to: 
    <ForwardedEvents.Identifier value="WEC"/>
  5. Save the changes and restart the WinCollect service
  6. Log in to the QRadar console as Administrator Log Source Management
  7. Navigate to Log Source Management, locate and disable the log source named WindowsAuthServer @ DEFAULT

Result: Administrators should see events correctly associated with the intended log source and its proper hostname or IP address. If the issue persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS019208434","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.0.0;7.1.0;7.2.0;7.2.2;7.2.3;7.2.4;7.2.5;7.2.6;7.2.7;7.2.8;7.3.0;7.3.1;7.3.2;7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
18 June 2025

UID

ibm17235962

Page Feedback