IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

DLC configuration

1. DLC configuration

Like
Vydenis Kucinskas
Posted 16 hours ago

Reply
Hi QRadar experts,

I'm testing IBM QRadar's Disconnected Log Collector and want to understand how it works in practice, especially with Windows logs via WinCollect (and whether there are alternatives to WinCollect).

Questions

For new Windows log sources that will send events to DLC, do I need to configure each source on the DLC side, or will DLC reject events that aren't defined in its config?

In the WindowsEventLog template's README I see username and password parameters. Which account should be used here? If WinCollect only forwards logs to DLC from local host, why are credentials required?

I don't see an XPath parameter in the DLC Windows template. Does that mean DLC can only handle default Windows channels (Security/System/Application) and not Sysmon/PowerShell/WMI etc.?

Thanks

------------------------------
Vydenis Kucinskas
------------------------------

IBM QRadar

DLC configuration

1. DLC configuration

Additional
Resources

Office

Quick Links

IBM QRadar

DLC configuration

1. DLC configuration

Related Content

Wincollect Powershell/Sysmon/Taskscheduler logs collection

Sysmon Event Forward

How to Forward events log from window without use Wincollect

WinCollect: Windows Forwarded events missing Information in QRadar

QRadar DLC - Disconnected Log Collector

Additional Resources

Office

Quick Links

Additional
Resources