IBM QRadar

Hey all, I currently have some log sources (mainly WinCollect types) in Error in my qradar deployement, but what I don't understand is why I'm receiving the system heartbeats events and not the receiving log events. Does anyone have an idea what's the problem? 

Thanks in advance for your feedbacks.

------------------------------
Essotassim LANGUIE
------------------------------

Hi Essotassim,

wincollect has some dependencies to check. Your description has no details about which versions and configurations you're running. Depending on this, different ports and options come into play... without details difficult to assess. But here is a helpful link to start, maybe you are already aware of:

https://www.ibm.com/community/101/qradar/wincollect/

This will support you with many details to check.

Regards,

Ralph

------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------

Original Message:
Sent: Thu July 25, 2024 06:41 AM
From: Essotassim LANGUIE
Subject: Log sources Error: Troubleshooting

Hey all, I currently have some log sources (mainly WinCollect types) in Error in my qradar deployement, but what I don't understand is why I'm receiving the system heartbeats events and not the receiving log events. Does anyone have an idea what's the problem? 

Thanks in advance for your feedbacks.

------------------------------
Essotassim LANGUIE
------------------------------

Hi,

Please check the error message in wincollect, u can see them alongside heartbeat events.

------------------------------
Abdul Quadeer
------------------------------

Original Message:
Sent: Thu July 25, 2024 06:41 AM
From: Essotassim LANGUIE
Subject: Log sources Error: Troubleshooting

Hey all, I currently have some log sources (mainly WinCollect types) in Error in my qradar deployement, but what I don't understand is why I'm receiving the system heartbeats events and not the receiving log events. Does anyone have an idea what's the problem? 

Thanks in advance for your feedbacks.

------------------------------
Essotassim LANGUIE
------------------------------

Ralph's link may have all this, but from my experience.  1) The fact that the WC agent is logging heartbeat and what not is a good thing, at least port 514 is getting from machine(s) to the EC or whatever (Still 8413 and UDP/TCP could be an issue).  2) In the Windows log source itself, you should check the destination on the first page of options.  You may have to make a WinCollect destination under admin/WinCollect/Destinations (I never saw the need for this) 3) if the destination is correct, then on the 2nd page of the windows log source, at the bottom make sure it is sending to the proper WinCollect agent.  Sometimes replacing machines with newer names or same to same can make issues.  As long as it is sending to a valid agent it should work.

If don't help and the stuff in Ralph's link doesn't help, I'd open a ticket with support.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Thu July 25, 2024 06:41 AM
From: Essotassim LANGUIE
Subject: Log sources Error: Troubleshooting

Hey all, I currently have some log sources (mainly WinCollect types) in Error in my qradar deployement, but what I don't understand is why I'm receiving the system heartbeats events and not the receiving log events. Does anyone have an idea what's the problem? 

Thanks in advance for your feedbacks.

------------------------------
Essotassim LANGUIE
------------------------------