IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  IMPORTANT - Getting Application and Service Logs - Agentless

    Posted Sun November 05, 2023 02:40 PM

    Hello Everyone,

    i want to ask for your support to help me to find a way to fetch Sysmon and Powershell logs to QRadar without using WinCollect. i want to know if it is doable ? if yes, appreciate your kind support to help me to find a way to fetch Application and Service Logs from Event Viewer using MSRPC or WMI or any other way than WinCollect.

    Thanks,



    ------------------------------
    Donald Lavag
    ------------------------------


  • 2.  RE: IMPORTANT - Getting Application and Service Logs - Agentless

    Posted Mon November 06, 2023 04:25 PM

    Just to clarify, is the issue that you do not want to have an agent running on the Windows host? The base answer is with MSRPC, you can agentlessly collect events. WMI is end of life and we no longer support that option in QRadar. There are going to be some caveats about MSRPC though, as you might need to have fairly high-level permissions to request data with MSRPC, depending on how your permissions and networks are setup, you might need domain admin to poll to some hosts depending on how things are configured.

    If you do not want to use WinCollect, there are agent solutions like Snare or NXlog, and other tools and that take a WEF/WEC subscription and convert it to Syslog. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: IMPORTANT - Getting Application and Service Logs - Agentless

    Posted Tue November 07, 2023 02:22 AM

    Hi Donald,

    You can use MSRPC method as @JonathanPetcha mentioned. Also, you can use a seperate Windows server for remotely wincollect collection. You can use XPath Query different kind of logs like Powershell and Sysmon. Qradar support 10 different XPath query.



    ------------------------------
    İsmail Kaya
    ------------------------------

    Original Message


  • 4.  RE: IMPORTANT - Getting Application and Service Logs - Agentless

    Posted Tue November 07, 2023 07:02 AM

    Hi Ismail,

    But MSRPC protocol is only used to forward standard logs like application, security, and system logs. How can we set up using MSRPC to forward non-standard logs to IBM QRadar?



    ------------------------------
    Faisal Rafiq
    ------------------------------

    Original Message


  • 5.  RE: IMPORTANT - Getting Application and Service Logs - Agentless

    Posted Tue November 07, 2023 07:22 AM

    Hi Faisal,

    I am sorry for wrong expression. MSRPC is one of the log collection method but second option is installing a wincollect on a seperate server and you can collect Powershell logs with this wincollect server. There will be no agent on every server or client but just on wincollect server.

    For MSRPC, as you mentioned there wouldn't be non-standard support:

    https://www.ibm.com/support/pages/qradar-agentless-windows-events-collection-using-msrpc-protocol-msrpc-faq#logtypes



    ------------------------------
    İsmail Kaya
    ------------------------------

    Original Message