All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Thank you @COLIN HAY I forgot that functionality is now available in the Log Source Mgmt App.
​

------------------------------
Angie
------------------------------

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Hello,

If it is unmanaged/standalone would you just plop the file on the server and do a service restart or maybe drop in a template?

------------------------------
Scott Searls
------------------------------

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Hi Scott,

For unmanaged/standalone yes you could update/replace the AgentConfig.xml file directly and restart the WinCollect service. There is a standalone config UI for WinCollect so you don't have to use the file directly, but if you're looking to make this change in bulk across many agents like Angie is, probably faster to automate it in some way buy pushing out a file update.

Cheers

Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed December 16, 2020 10:35 AM
From: Scott Searls
Subject: How to deploy XPATH query after installation

Hello,

If it is unmanaged/standalone would you just plop the file on the server and do a service restart or maybe drop in a template?

------------------------------
Scott Searls

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Colin, I assume I should be able to see the XPATH locally on the Wincollect agent, but I'm not seeing any data related to the query in the AgentConfig.xml file.  I used the exact XML syntax from creating a Custom View inside Event Viewer, edited the agent in Log Source Mgmt, and even restarted the Wincollect agent service.  Nothing appears to have been pushed to the agent.

------------------------------
Angie
------------------------------

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Original Message:
Sent: 12/21/2020 3:19:00 PM
From: Angie Urtel
Subject: RE: How to deploy XPATH query after installation

Colin, I assume I should be able to see the XPATH locally on the Wincollect agent, but I'm not seeing any data related to the query in the AgentConfig.xml file.  I used the exact XML syntax from creating a Custom View inside Event Viewer, edited the agent in Log Source Mgmt, and even restarted the Wincollect agent service.  Nothing appears to have been pushed to the agent.

------------------------------
Angie
------------------------------

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------

Thanks Scott. I found it. 

It appears line breaks are not appreciated.  As soon as I wrote the entire QueryList on one line, it worked as expected.

------------------------------
Angie
------------------------------

Original Message:
Sent: Mon December 21, 2020 03:24 PM
From: Scott Searls
Subject: How to deploy XPATH query after installation

It converts it to a base64 string.  Look for a line with base64 in it and decode with any base64 decoder and you will see your xpath query.

Let me know if you would like to see an example.

Regards,

Scott Searls

Original Message:
Sent: 12/21/2020 3:19:00 PM
From: Angie Urtel
Subject: RE: How to deploy XPATH query after installation

Colin, I assume I should be able to see the XPATH locally on the Wincollect agent, but I'm not seeing any data related to the query in the AgentConfig.xml file.  I used the exact XML syntax from creating a Custom View inside Event Viewer, edited the agent in Log Source Mgmt, and even restarted the Wincollect agent service.  Nothing appears to have been pushed to the agent.

------------------------------
Angie

Original Message:
Sent: Wed December 16, 2020 02:12 AM
From: COLIN HAY
Subject: How to deploy XPATH query after installation

Hi Angie,

If your agents are managed by QRadar, you can use the Log Source Management app to make bulk changes to log sources, including the XPath query parameter when dealing with log sources with Protocol Type=WinCollect.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue December 15, 2020 01:01 PM
From: Angie Urtel
Subject: How to deploy XPATH query after installation

All the documentation I've seen talks about deploying Wincollect with the included XPATH query, but I can't find anything on how to deploy an XPATH query at a large scale after the managed Wincollect client is already installed/configured.  Is there a way to do this?  Is it as simple as deploying a new config file locally to the agents?  If so, which file is edited, is it agentconfig.xml?

I don't want to have to touch every single log source in my console to add the XPATH query.  That is not manageable.

Thanks for any ideas!

------------------------------
Angie
------------------------------