IBM Support

QRadar APAR IJ07877: Resolving account lockout issues for bulk added Windows log sources

Troubleshooting


Problem

Active Directory (AD) passwords used in bulk added using WinCollect or MSRPC for Windows log sources can become locked out after deleting one of the associated bulk added log sources as described in APAR IJ07877. The QRadar Log Source Management app includes the ability to bulk edit log sources in v2.0.0 using QRadar's log source API to prevent lockout issues that might occur when using the standard log source user interface. Administrators experiencing service account lockout issues related to Windows log sources can use the Log Source Management application to edit bulk added log sources to prevent this issue. 

Resolving The Problem

The QRadar Log Source Management app is the recommended method to update the bulk added log source passwords. This application uses the QRadar log source (/config/event_sources/log_source_management/) API to update the database and can resolve this password lockout issues for administrators.

 

Before you begin
The QRadar Log Source Management application must be installed. An administrator user role is required to install the Log Source Management app for QRadar. If you recently updated your user role to be an administrator, it is recommended that you logout and log back in to the QRadar Console before editing log sources. To download the QRadar Assistant App, see: https://exchange.xforce.ibmcloud.com/hub/extension/8169c48dc992961acb8f963cdcf56faa.

NOTE: If you are a QRadar on Cloud user, contact QRadar Support for assistance.

 

Procedure

  1. To open the QRadar Log Source Management app, on the Admin tab, click the QRadar Log Source Management icon.
  2. Filter by the WinCollect Agent.
    image-20181212170802-4
  3. Select check boxes to filter for the following options:
    1. Log Source Type is Microsoft Windows Security Event Log.
    2. Protocol Type can be of any type, such as WinCollect or Microsoft Windows Security Event Log over MSRPC.
      image-20181212170751-3
      The log sources are filtered to match the criteria.

      image-20181212170024-1
  4.  Select the log sources experiencing the account lock out issue.
    image-20181212170922-5
  5. Click Edit to open the Log Source Summary tray and select the Protocol tab.
  6. Select the check box for the Password field to enable it.
    image-20181212171144-7
    Note: In the QRadar Log Source Management app v2.0.0 there is field to verify the inputted password. Users who select either password field will be prompted to type and confirm the passwords for the log source configuration.
  7. Update the password for the service account and click Save.
  8. A popup warning is displayed to users to inform them that editing a legacy bulk added log sources will only allow them to be edited in the future using the QRadar Log Source Management app. 
    image-20181212173359-14
  9. Click Proceed. The status is displayed with a summary of the log sources that were updated.
    image-20181212172336-12


 

Results
After the log sources are updated with the password, the Windows administrator can unlock the service account. The log sources begin to report data from the remote Windows hosts.

 

 


Where do you find more information?



[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"App Frameworks","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 December 2018

UID

ibm10743761