Hi QRadar experts,

I'm testing IBM QRadar's Disconnected Log Collector and want to understand how it works in practice, especially with Windows logs via WinCollect (and whether there are alternatives to WinCollect).

Questions

1. For new Windows log sources that will send events to DLC, do I need to configure each source on the DLC side, or will DLC reject events that aren't defined in its config?

2. In the WindowsEventLog template's README I see username and password parameters. Which account should be used here? If WinCollect only forwards logs to DLC from local host, why are credentials required?

3. I don't see an XPath parameter in the DLC Windows template. Does that mean DLC can only handle default Windows channels (Security/System/Application) and not Sysmon/PowerShell/WMI etc.?

Thanks

 The main question is whether you really need a DLC. 

QRadar has 3 collectors - EventCollector (EC), Disconnected Log Collector (DLC) and WinCollect. They have a lot in common and some differences. WinCollect is a collector agent, specifically for collecting Windows events. DLC is a lightweight general collector. EC is the most feature rich collector, which is also managed and has parsing and normalization built in.

While it is possible to send events from WinCollect to DLC to QRadar, there has to be a good reason to introduce this path and complexity. What are you trying to achieve? 

Hi,

I'm testing DLC log collection in the DMZ. To better understand the setup, our goal is to collect logs from endpoints (laptops) regardless of their location or VPN connection status - similar to how XDR/EDR agents send logs directly to the cloud.

We want to implement a similar approach, where agents forward their logs to the DLC using WinCollect (or maybe other solution).

In my opinion, the EC/EP setup is not as secure as the DLC for this purpose.

P.S. I understand that XDR/EDR solutions would handle log collection and aggregation more effectively, but let's assume XDR/EDR is not an option in this scenario.

BR

Hi Vydenis,

1. DLC can receive plaintext syslog over UDP or TCP from any source, similar to a QRadar console/EP/EC. So you can just direct WinCollect's syslog stream at the DLC and it forward forward along the events to the downstream QRadar, there is no need to configure each source on the DLC. If you are sending over TLS syslog from WinCollect, then it is necessary to configure a single TLS Syslog instance on the DLC to act as teh receiver for the TLS syslog streams, but again it not not necessary to configure something for each WinCollect agent or Windows endpoint.
2. It's not clear if you're referring to the template on WinCollect or on the DLC.
   1. If you're referring to WinCollect, it has the ability to either read logs from the local system or remotely connect to other Windows systems. The former would be used if you are deploying a WinCollect agent on every Windows host from which you wish to obtain logs. The latter would be used if you want to install an agent on one Windows system and have it collect data from multiple other systems, thus not requiring an agent to be installed on those systems. The account credentials are only required if you wish to do remote collection.
   2. If you're referring to the DLC's config file, this is not for WinCollect. As an alternative to agent-based collection (WinCollect), QRadar (and DLC) have a protocol (connector) that handles agentless Windows event collection by remotely connecting to Windows systems from the QRadar/DLC host via the MS-RPC protocol. This would obviously require Windows credentials.
3. The agentless option is limited to the Security, System, Application, DNS Server, File Replication Service, and Directory Service logs, regardless of whether it's running on DLC or on QRadar. WinCollect can collect logs from anything definable via XPath and send to DLC though.

Cheers

Colin