IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Problem with Event Forwarding

    Posted Mon November 18, 2019 03:56 AM

    Hello IBM team.

    I have problem with event forwarding to Wincollect Server. I configured event forwarding and get such problem:

    1) Event does not write logs to forwarding logs but I see log activity from this endpoints.

    GPO:

     



    Thank you for help)


    ------------------------------
    Vadim Novikov
    SOC Engineer
    IT-Specialist
    Kiev
    +380972970792
    ------------------------------


  • 2.  RE: Problem with Event Forwarding

    Posted Mon November 25, 2019 05:50 PM
    It looks like you're trying to send event logs directly from Windows computers to QRadar via Windows Event collection.

    That isn't how it works.

    You need to build a Windows Event Collector server as per the Microsoft documentation

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

    https://channel9.msdn.com/Events/Ignite/Australia-2015/INF327

    https://social.technet.microsoft.com/wiki/contents/articles/33895.windows-event-forwarding-survival-guide.aspx

    There are many more resources if you need them.

    Once you have your WEC server setup (it looks like you might have done this). You point all the computers to the WEC server (the URL needs to point to the WEC server, not QRadar) via the Group Policy (it looks like you pointed you computers to the QRadar system in the GPO). Once you've pointed your computers to the WEC server via GPO then you should see the event logs in the Forwarded Events log.

    Once you've gotten that far you need to install a WinCollect agent on the WEC server and configure it to pickup the Forwarded Events logs and send that to QRadar. Once you've done this then you will see the Forwarded Events in QRadar.

    Each of the computers will be created as their own individual log source with the naming convention
    WindowsAuthServer @ ComputerName.domainname

    There is no direct path for sending logs to QRadar using WEC. The path is

    Windows endpoint comptuer (server or workstation) > WEC Server Forwarded Logs > QRadar via WinCollect agent

    I have thousands of computers sending their logs to QRadar this way.

    HTH,

    Robert







    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 3.  RE: Problem with Event Forwarding

    Posted Mon November 25, 2019 06:14 PM
    I would also recommend that you look at this additional documentation for the log sources and event ID's to collect.

    https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

    NOTE: You should review this entire page AND for some reason EventID 4625 is not on this list and it is a must to have this ID included
    https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#bkmk-appendixe1

    Using the Suppress XML tag is something that took me a while to find but I find it to be very important in tuning out noise. You can find a little bit of information here

    https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

    and

    https://www.ibm.com/support/pages/how-use-xpath-queries-wincollect-suppress-specific-events

    and here (in a picture)

    https://www.logbinder.com/Products/Supercharger/

    and here

    https://forum.logbinder.com/Topic659.aspx



    You also should know how to use the wecutil.exe CLI - https://docs.microsoft.com/en-us/windows/win32/wec/wecutil

    HTH,

    Robert

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message