Question & Answer
Question
Why do some Windows events that are remotely polled by WinCollect unexpectedly report a Source and Destination IP address of the WinCollect agent itself?
Cause
Many Windows events contain no source or destination IP address information. When no source or destination can be determined, QRadar uses the IP address found in the event payload header as the source IP address. If there is no IP address in the header, QRadar uses the packet IP address, which is the address of the WinCollect agent. This issue can cause multiple events to appear as they have a source or destination IP address of the WinCollect agent.
Answer
Currently, the only solution would be to use the IP address of the remote Windows Server. The Log Source Identifier in the Log Source Configuration for any log source needs to be correct IP address. If you experience issues with events that do not appear to parse or categorize properly, confirm the event types are supported in the QRadar DSM Guide or contact QRadar Support for assistance.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 June 2022
UID
swg21685243