IBM Support

QRadar: Agentless Windows Events Collection using the MSRPC Protocol (MSRPC FAQ)

Question & Answer


Question

The purpose of the technical note is to provide a FAQ for administrators that use the Microsoft Security Event Log over MSRPC protocol to collect events from Windows systems.

Answer

Quick links

 

What is the 'Microsoft Security Event Log over MSRPC' protocol?

The Microsoft Security Event Log over MSRPC protocol is a new offering for QRadar to collect Windows events without the need of a local agent on the Windows host. The protocol leverages Microsoft's implementation of DCE/RPC, which is commonly referred to as MSRPC. The MSRPC protocol provides agentless, encrypted event collection.




 

Where do I download the 'Microsoft Security Event Log over MSRPC' protocol?

For most administrators or users, the Microsoft Security Event Log over MSRPC protocol is provided during installation, but is not included in QRadar weekly auto updates. If you need to update the Microsoft Security Event Log over MSRPC protocol, you must download and install the RPM file from IBM Fix Central. Administrators can be verify if the protocol is install through the log sources user interface or by confirming that the Windows Event RPC protocol rpm file is installed.

If you experience issues with the Windows Event RPC protocol:

  1. Confirm you are on the latest version from IBM Fix Central.
  2. If your network is air gapped, you can download the RPM directly or download the automatic updates bundle, then install any required RPM files on the Console. For more information, see Installing the MSRPC protocol on the QRadar Console.

To verify through the user interface, administrators can click the Admin tab > Log Sources > Add > Microsoft Windows Security Event Log to confirm whether the MSRPC option is available.


To verify from the command line, administrator can log in to the Console and confirm that the required rpm files are installed. The following rpm files required to collect and parse events using the MSRPC protocol:
 
  • PROTOCOL-WindowsEventRPC-<version>.noarch.rpm (interface and protocol connection code)
  • DSM-MicrosoftWindows-<version>.noarch.rpm (parsing and QID map for all Windows-based events)
  • DSM-DSMCommon-<version>.noarch.rpm (framework and support files for parsing some operating system events)
 
Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To verify the protocol is installed, type:
    yum info *EventRPC*
  3. Examine the list and verify that PROTOCOL-WindowsEventRPC-<version>.noarch.rpm is installed.
    Note: If the file is listed, but does not display in the user interface, the administrator can restart the web server. Note: Restarting the web server logs out all users, stop event exports, and stop reports that are in progress.
  4. From the Admin tab of the QRadar Console, select Advanced > Deploy Full Configuration.
  5. Click the Admin tab > Advanced > Restart Web Server.
  6. Log in to the QRadar Console.
  7. Verify that the Microsoft Security Event Log over MSRPC is displayed in the log source user interface.
 
 

What event log types are supported by the MSRPC protocol?

The Microsoft Security Event Log over MSRPC only supports standard Windows event logs for workstations and servers. This allows MSRPC to collect Security, System, Application, DNS Server, File Replication, and Directory Service event.

MSRPC is not capable of retrieving or parsing non-Standard windows logs, such as Microsoft IIS, Microsoft SQL, Microsoft DHCP, Juniper Steel-Belted Radius, Microsoft IAS/NPS, Microsoft ISA, or NetApp Data ONTAP. If you require events from any of these systems, administrators can install WinCollect agents to collect those events.


 

What is the intended application for the 'Microsoft Security Event Log over MSRPC' protocol?

The MSRPC protocol is best used to poll Windows endpoints (workstations) and mid-to-low EPS rate Windows servers due to the 100 EPS maximum of the protocol. The MSRPC protocol is only capable of polling for Windows events from the default event logs on the Windows host. For example, IIS, DHCP, or IAS event logs are not supported.


MSRPC supports the following event rates:
Name Protocol type Maximum event rate
Microsoft Security Event Log over MSRPC MSRPC
  • 100 EPS per Windows host
  • 8,500 EPS / QRadar appliance
    (15xx, 16xx, 18xx, 31xx)
The MSRPC protocol is not recommended for high event rate servers or domain controllers. These systems typically generate more than then 100 EPS that the MSRPC protocol is capable of collecting. High event rate systems should use WinCollect with 'Local System' log sources to collect and forward events.


 

Does MSRPC provide security for my event payloads?

MSRPC traffic is encrypted. Packet information is encrypted cannot be disabled in the user interface by administrators. MSRPC uses NTLMv2 and does not support Kerberos. If event payload security is required, then administrators must leverage MSRPC for Windows event collection or use TLS Syslog with a WinCollect agent to securely forward events to QRadar.

 

 

What are the features of the 'Microsoft Security Event Log over MSRPC' protocol?

The MSRPC protocol provides agentless, encrypted event collection from Windows hosts. Each 'Microsoft Windows Security Event Log over MSRPC' log source is capable of collecting from Windows hosts that generate up to 100 EPS. The MSRPC protocol is capable of supporting up to 8,500 overall EPS per each QRadar 16xx Event Processor or 18xx Event/Flow Processor. QRadar supports bulk adding of a maximum of 500 'Microsoft Security Event Log over MSRPC' log sources. If more than 500 MSRPC log sources are required, the administrator must configure these log sources on a separate QRadar appliance. The use of the MSRPC protocol is recommended for administrators who need to collect Windows events from low-mid EPS rate systems when the corporate policies that restrict the use of agents.

Features Supported by the 'Microsoft Security Event Log over MSRPC' protocol?
Maximum EPS rate 100 EPS / Windows host
Maximum overall EPS rate 8500 EPS / QRadar appliance (15xx, 16xx, 18xx, 31xx)
Maximum log sources 500 log sources / QRadar
Bulk log source support Yes
Encryption Yes, using the MS-EVEN6 protocol.
Protocol type The protocol type used for event collection is dependent on your Windows operating system version. Select one of the following options from the Protocol Type list:

MS-EVEN6 (default for new log sources)
The default protocol type for new log sources. The protocol type that is used by QRadar to communicate with Windows Vista and Windows Server 2008 and later.

MS-EVEN (for Windows XP/2003)
The protocol type that is used by QRadar to communicate with Windows XP and Windows Server 2003.


Windows XP and Windows Server 2003 are not supported by Microsoft. The use of this option might not be successful.

Auto-detect (for legacy configurations)
Existing MSRPC log sources are assigned Auto-detect as the protocol type when the latest protocol is installed in the QRadar deployment.
 
Event types
  • Application
  • System
  • Security
  • DNS Server
  • File Replication
  • Directory Service logs
Supported Windows Operating Systems
  • Windows Server 2022 (including Core with WinCollect v10.1.2 and above)
  • Windows Server 2019 (including Core)
  • Windows Server 2016 (including Core)
  • Windows Server 2012 (including Core)
  • Windows 10
  • Windows 11 (WinCollect v10.1.2 and above)
NOTE: MSRPC is not supported on versions of Windows that are marked as end of life by Microsoft, such as Windows 2003 and Windows XP.
Required permissions The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup Operators group can be used depending on how Microsoft Group Policy Objects are configured.

** Windows 2003 operating systems users require read access to the following registry keys:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

** Windows 2003 does work with MSRPC, however, QRadar support does not take questions or assist with Windows 2003 integrations as Microsoft declared the operating system as end of life.
Windows Service Requirements For Windows Vista and later:
  • Remote Procedure Call (RPC)
  • RPC Endpoint Mapper

** For Windows 2003:
  • Remote Registry
  • Server
Port Requirements For Windows Vista and later:
  • TCP port 135
  • TCP port 445
  • TCP port that is dynamically allocated for RPC, above 49152

** For Windows 2003:
  • TCP port 445
  • TCP port 139
Tuning support No, MSRPC is limited to 100 EPS / Windows host and no further performance tuning is available. For higher event rate systems (>100 EPS), see WinCollect.
Event filtering support MSRPC only has the options available to filter on the level of logging per channel.  There are 6 choices to enable or disable:
  • Informational
  • Warning
  • Error
  • Success Audit
  • Failure Audit
For more granular event filtering options, administrators can use WinCollect XPath queries or filter by Event IDs or source. For more information, see WinCollect Event Filtering.
Connection test tool Yes, the MSRPC protocol includes a Test button in the Log Source Management app.


 

What QRadar versions are required?

The 'Microsoft Security Event Log over MSRPC' protocol is supported on all QRadar versions.

 

 

Event collection scenario: 500 Windows hosts with 5 domain controllers

An administrator has 500 Windows hosts and 5 domain controllers in the network and they are tasked with collecting events from these systems. The collection method the administrator selects should be determined by EPS rate of the remote Windows hosts.


After an investigation into these Windows systems, it is determined that the EPS rates across these systems are as follows:
 
450 endpoints that generate 10 EPS each
  • Option 1 (MSRPC) - A single QRadar appliance that uses 'Microsoft Security Event Log over MSRPC' can collect these events. This is a good option for administrators due to the ease of configuration and centralized management of the log sources.
  • Option 2 (WinCollect) - If agents are allowed in your network, you could configure remote polling as follows:
    • Two WinCollect 7.3.1 agents could remotely poll for these events and collect the over 4,500 EPS from all hosts. Two WinCollect 7.3.1 agents are required because the remote polling maximum EPS is 3000 per agent.
    • A stand-alone WinCollect 10 can use a single agent to remote poll for all events as the maximum EPS for remote polling is 5,000 EPS. However, users need to ensure the agent can consume resources on the host where the agent is installed. For more information, see Hardware and software requirements for WinCollect 10 hosts.
50 servers that generate 150 EPS each
Best option. WinCollect - WinCollect agents can remotely poll for these events. Multiple WinCollect agents are required because the remote polling maximum EPS is 3,000 per agent.
5 domain controllers that generate 2000 EPS each
Best option (WinCollect) WinCollect agents installed locally or remote polling the domain controller and be tuned for high event rate collecting in the log source configuration.

 

How does an administrator choose what protocol to use for Windows event collection?

New deployments or administrators adding Windows event collection to their QRadar deployment can use either MSRPC or WinCollect agents. WMI is considered a legacy protocol for Windows event collection. If agents, such as WinCollect or Snare are not allowed in the network, then the MSRPC protocol is the only option for remote polling with WMI deprecated for all QRadar users. For more information, see QRadar: End of life announcement for WMI-based Microsoft Windows Security Event Log protocols.







[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
06 September 2024

UID

swg21700170