Hello,
How to deploy wincollect in multitenant environments ? In my environment，Qradar console can only connect with Event Collector,
Qradar console can't establish a connection with windows server. How can I collect windows logs? Is there any other way besides wincollect.
I send Linux Log to EC, then forward it to console through EC. Console can add Linux Log source normally, but windows can't.

------------------------------
logan he
------------------------------

Hi Logan,

You can send Windows events to an Event Collector just like you can with Linux events, an EC supports the same log source types and protocol types as an EP or console.

WinCollect is an option but you could use alternate Windows agents if you like (Snare, nxlog, Balabit syslog-ng, etc). We also have an agentless solution (Protocol Type="Microsoft Security Event Log over MSRPC") that allows a log source assigned to your EC to remotely connect to a Windows system to retrieve events. For a low event rate system the MSRPC approach should be fine but for a higher event rate system you'll likely need an agent.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed May 12, 2021 04:35 AM
From: logan he
Subject: Multitenant environments collect windows log error

Hello,
How to deploy wincollect in multitenant environments ? In my environment，Qradar console can only connect with Event Collector,
Qradar console can't establish a connection with windows server. How can I collect windows logs? Is there any other way besides wincollect.
I send Linux Log to EC, then forward it to console through EC. Console can add Linux Log source normally, but windows can't.

------------------------------
logan he
------------------------------