IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Changing the target event collector (Data gateway) for a log source

  • 1.  Changing the target event collector (Data gateway) for a log source

    Posted Wed April 22, 2020 08:23 AM
    ​Hi All,

    We have a requirement of changing the data gateway (target event collector) (we have 3 data gateways in our environment)
    We use log source management app to manage log sources. we are using QROC, My doubt is as below,

    When I check a particular windows log source is log source management app, I see two log sources with the  same name example (xyz is the name of the server)
    Wincollect@xyz
    WindowsAuthServer@xyz

    The first onw I can not edit and second one I can edit.
    Why these two are showing in log sources list (Why not one log source only)

    Regards
    Asif Siddiqui


    ------------------------------
    Asif Siddiqui Senior Security Analyst
    ------------------------------


  • 2.  RE: Changing the target event collector (Data gateway) for a log source

    Posted Thu April 23, 2020 10:34 AM

    Hi Asif,

    The WindowsAuthServer log source is for the Windows events you are collecting, it is a typical log source that you can create/edit/delete.

    The WinCollect log source is for collecting system/health events from WinCollect itself, similar to the System Notification and Health Metrics log sources that collect data from QRadar itself. These are all considered "internal" log source types so they cannot be modified or deleted by end users. You can hide them in the Log Source Management app by using the "Internal" filter on the left side of the interface.

    We do have a change planned to make the WinCollect log sources only deleteable, so that if an unmanaged WinCollect agent triggers autodetection of one of those log sources, but the agent is later decommissioned, the corresponding log source can be removed. Note that in a managed WinCollect scenario, if the agent is deleted from QRadar, the corresponding WinCollect log source will automatically be deleted too.

    Cheers
    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


Related Content