IBM QRadar

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!

Hello, 

I would ask are you sending from the Win Event Collector to QRadar via UDP or TCP?
If you are using UDP, I would suggest you try TCP.

You can increase debug on QRadar and the Wincollect Agent by following these URLs:

https://www.ibm.com/support/pages/node/6426883

https://www.ibm.com/support/pages/qradar%C2%AE-how-enable-debug-logging-wincollect

You can also use tcpdump on the QRadar Host to capture the raw events coming from Wincollect and then use the wireshark application to view these:
https://www.ibm.com/support/pages/qradar-using-tcpdump-and-wireshark-troubleshoot-and-analyze-ibm-security-qradar-siem-0

use the IP address of the Wincollect Agent and the port its sending to in the tcpdump command. 
In this way you can view what raw packets are being recieved. 

Regards

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!

Thanks for the information! WinCollect is already sending over TCP. 

I have configured WinCollect to show Trace Messages and can see, that the logs forwarded to QRadar are already incomplete. It looks like this:

Event: AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-AppLocker/EXE and DLL PluginVersion=WC.MSEVEN6.10.1.10.11 Source=Microsoft-Windows-AppLocker Computer=sys01.dom OriginatingComputer=10.10.10.100 User=SYSTEM Domain=NT AUTHORITY EventID=8002 EventIDCode=8002 EventType=4 EventCategory=0 RecordNumber=15068 TimeGenerated=1718005919 TimeWritten=1718005919 Level=Informational Keywords=0 Task=None Opcode=Info Message=

I can see the same event in Microsoft Event Viewer and in the XML view there are 3 main categories: System, UserData and RenderingInfo. It seems that everything under UserData is missing. It seems that all other events have EventData instead of UserData, so maybe thats the problem. But this is how Microsoft creates the logs. Is there a way to solve this so that WinCollect interprets the information under UserData?

Hello, 

I would ask are you sending from the Win Event Collector to QRadar via UDP or TCP?
If you are using UDP, I would suggest you try TCP.

You can increase debug on QRadar and the Wincollect Agent by following these URLs:

https://www.ibm.com/support/pages/node/6426883

https://www.ibm.com/support/pages/qradar%C2%AE-how-enable-debug-logging-wincollect

You can also use tcpdump on the QRadar Host to capture the raw events coming from Wincollect and then use the wireshark application to view these:
https://www.ibm.com/support/pages/qradar-using-tcpdump-and-wireshark-troubleshoot-and-analyze-ibm-security-qradar-siem-0

use the IP address of the Wincollect Agent and the port its sending to in the tcpdump command. 
In this way you can view what raw packets are being recieved. 

Regards

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!

We are currently experiencing the same issue - but only with Wincollect 10.1.2.15. The events forwarded by Wincollect version 10.1.9.21 are complete. Which Wincollect version do you have in use?

------------------------------
Bernhard Schmid
Wien Digital
Wien
+431400072240

Original Message:
Sent: Mon June 10, 2024 04:34 AM
From: Reinhard Westerholt
Subject: Debug Partial AppLocker Log Messages

Thanks for the information! WinCollect is already sending over TCP. 

I have configured WinCollect to show Trace Messages and can see, that the logs forwarded to QRadar are already incomplete. It looks like this:

Event: AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-AppLocker/EXE and DLL PluginVersion=WC.MSEVEN6.10.1.10.11 Source=Microsoft-Windows-AppLocker Computer=sys01.dom OriginatingComputer=10.10.10.100 User=SYSTEM Domain=NT AUTHORITY EventID=8002 EventIDCode=8002 EventType=4 EventCategory=0 RecordNumber=15068 TimeGenerated=1718005919 TimeWritten=1718005919 Level=Informational Keywords=0 Task=None Opcode=Info Message=

I can see the same event in Microsoft Event Viewer and in the XML view there are 3 main categories: System, UserData and RenderingInfo. It seems that everything under UserData is missing. It seems that all other events have EventData instead of UserData, so maybe thats the problem. But this is how Microsoft creates the logs. Is there a way to solve this so that WinCollect interprets the information under UserData?

------------------------------
Reinhard Westerholt

Original Message:
Sent: Fri June 07, 2024 08:15 AM
From: Comghall Morgan
Subject: Debug Partial AppLocker Log Messages

Hello, 

I would ask are you sending from the Win Event Collector to QRadar via UDP or TCP?
If you are using UDP, I would suggest you try TCP.

You can increase debug on QRadar and the Wincollect Agent by following these URLs:

https://www.ibm.com/support/pages/node/6426883

https://www.ibm.com/support/pages/qradar%C2%AE-how-enable-debug-logging-wincollect

You can also use tcpdump on the QRadar Host to capture the raw events coming from Wincollect and then use the wireshark application to view these:
https://www.ibm.com/support/pages/qradar-using-tcpdump-and-wireshark-troubleshoot-and-analyze-ibm-security-qradar-siem-0

use the IP address of the Wincollect Agent and the port its sending to in the tcpdump command. 
In this way you can view what raw packets are being recieved. 

Regards

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Wed June 05, 2024 03:55 AM
From: Reinhard Westerholt
Subject: Debug Partial AppLocker Log Messages

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!

Hi Bernhard,

I have tested this with WinCollect 10.1.10.11, 10.1.11.19 and 10.1.12.15. The problem was always the same. After working on this with IBM Support and Microsoft Support for a very long time, I am quite sure, that this is a bug of our used Windows Version. The message attribute is already empty in the ForwardedEvents of the Win Event Collector, so its not a problem of WinCollect.

If it works for you with a dedicated WinCollect version, its maybe not the same problem. 

Kind Regards,

Reinhard

------------------------------
Reinhard Westerholt

Original Message:
Sent: Tue December 10, 2024 03:07 AM
From: Bernhard Schmid
Subject: Debug Partial AppLocker Log Messages

We are currently experiencing the same issue - but only with Wincollect 10.1.2.15. The events forwarded by Wincollect version 10.1.9.21 are complete. Which Wincollect version do you have in use?

------------------------------
Bernhard Schmid
Wien Digital
Wien
+431400072240

Original Message:
Sent: Mon June 10, 2024 04:34 AM
From: Reinhard Westerholt
Subject: Debug Partial AppLocker Log Messages

Thanks for the information! WinCollect is already sending over TCP. 

I have configured WinCollect to show Trace Messages and can see, that the logs forwarded to QRadar are already incomplete. It looks like this:

Event: AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-AppLocker/EXE and DLL PluginVersion=WC.MSEVEN6.10.1.10.11 Source=Microsoft-Windows-AppLocker Computer=sys01.dom OriginatingComputer=10.10.10.100 User=SYSTEM Domain=NT AUTHORITY EventID=8002 EventIDCode=8002 EventType=4 EventCategory=0 RecordNumber=15068 TimeGenerated=1718005919 TimeWritten=1718005919 Level=Informational Keywords=0 Task=None Opcode=Info Message=

I can see the same event in Microsoft Event Viewer and in the XML view there are 3 main categories: System, UserData and RenderingInfo. It seems that everything under UserData is missing. It seems that all other events have EventData instead of UserData, so maybe thats the problem. But this is how Microsoft creates the logs. Is there a way to solve this so that WinCollect interprets the information under UserData?

------------------------------
Reinhard Westerholt

Original Message:
Sent: Fri June 07, 2024 08:15 AM
From: Comghall Morgan
Subject: Debug Partial AppLocker Log Messages

Hello, 

I would ask are you sending from the Win Event Collector to QRadar via UDP or TCP?
If you are using UDP, I would suggest you try TCP.

You can increase debug on QRadar and the Wincollect Agent by following these URLs:

https://www.ibm.com/support/pages/node/6426883

https://www.ibm.com/support/pages/qradar%C2%AE-how-enable-debug-logging-wincollect

You can also use tcpdump on the QRadar Host to capture the raw events coming from Wincollect and then use the wireshark application to view these:
https://www.ibm.com/support/pages/qradar-using-tcpdump-and-wireshark-troubleshoot-and-analyze-ibm-security-qradar-siem-0

use the IP address of the Wincollect Agent and the port its sending to in the tcpdump command. 
In this way you can view what raw packets are being recieved. 

Regards

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Wed June 05, 2024 03:55 AM
From: Reinhard Westerholt
Subject: Debug Partial AppLocker Log Messages

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!