IBM Support

WinCollect: A second log source might get auto-detected when manually creating an MS Windows Security Event log source

Troubleshooting


Problem

The issue might happen when a new WinCollect agent is installed without creating a log source. If a Microsoft® Windows® Security Event Log log source was created manually, and deployed, the events from the Windows server might not be associated with the newly manually created log source. 

Symptom

If you manually create an MS Windows Security Event Log log source and deploy the log source, you might not see events being associated with this log source.
When examined, the events are going to an auto-detected log source, and you can see that there are two MS Windows Security Event Log log sources with the same Log Source Identifier.

Cause

If the deployment sequence on the QRadar deployment takes longer than applying the new configuration on the WinCollect agent, the agent might start sending events before the manually created log source is ready to receive them. This "race condition" can cause a second log source to be auto-detected.

Diagnosing The Problem

  1. Log in to QRadar GUI.
  2. Examine the Parsing Order view: Admin> Log Source Parsing Order.
  3. Select from Log Source Host the Log Source Identifier (LSI) for your manually created MS Security Event Log log source. You can see two log sources with the same LSI.

Resolving The Problem

There are at least two ways to resolve the issue, you can perform the first method or both, depending on your future requirements.
A. Disable or delete the auto-detected log source
  1. Open the LSM App from Admin> Log Sources.
  2. Optional: On the left side panel, enable filter: Microsoft Windows Security Event Log.
  3. Optional: enable filters for WinCollect Agent (if managed) or Target Event Collector to easier find your log source.
  4. Look up your manually created MS Security Event Log log source. You can again see two log sources with the same LSI.
  5. Disabling the auto-detected log source prevents events from being associated with it. Deleting the log source does the same, but if you already received important events to the log source, deleting it makes searching for these events more difficult. Consider the option to disable the log source, and delete it after the event retention period expires.
B. You can tune the auto-detection threshold in the DSM Editor for MS Windows Security Event Log DSM
  1. Log in to the QRadar GUI.
  2. Open the DSM Editor.
  3. Select the Microsoft Windows Security Event Log DSM.
  4. Click the Configuration tab.
  5. Under Log Source Autodetection Configuration, click Show Advanced Options.
  6. Increase the value for Minimum Successful Events for Autodetection to suit. Note, this change impacts all new Windows hosts, which you want to integrate in the future.

Result: The Windows events are associating with the manually created log source. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 November 2023

UID

ibm17070591