Hi Ming,
we also forward windows logs using syslog-ng. This is not a supported method by IBM, but it works great. They recommend using their agent wincollect or windows MSRPC protocol.
Windows logs are multiline, therefore you can't send the logs on 514, because it can only handle single line logs. You'll need to create a listener on another port that will reassemble the multiline logs. Here's IBM procedure for the listener:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Splunk_logsource.htmlThis listener will automatically detect all the windows log source servers and create them, and as a gateway, it will assign each log to the right log source in Qradar if it already exists. As for the syslog-ng config, you need to send the logs un-modified with no special header to your Qradar event collector IP on the listener port you've created, and in TCP. It should work just fine.
Unfortunately, I'm not allowed to give you SNG configs or screenshots of my Qradar configuration, since it belongs to my employer, and I do not have autorisation to share the information. If you have a good unix admin, I'm sure he'll be just fine with SNG. And you may ask IBM support for help on the listener.
You could replace SNG by MSRPC...
https://www-01.ibm.com/support/docview.wss?uid=swg21700170If it's too complicated, you may want to install wincollect.
I hope this helped.
Regards,
------------------------------
Anthony Gayadeen
------------------------------
Original Message:
Sent: 11-29-2018 02:15 AM
From: Ming Zheng Lee
Subject: IBM QRadar v7.3.1 - Log Source for syslog-ng
Hi All,
I have a QRadar All-in-One virtual machine running on v7.3.1. I have configured a Windows Server deployed with syslog-ng to send syslog to the QRadar server. However on my QRadar server, I am unable to see the log source being detected automatically. Why is this so? Appreciate all kind response.
Thank you.
Gary
------------------------------
Ming Zheng Lee
------------------------------