There are multiple solutions for accepting and forwarding syslog that support TLS. One of the simplest is rsyslog which is available on most Linux hosts. There's also plug-able log forwarders like Logstash and Fluentd. For some thing that's more closely related to (and supported by) QRadar, there's our DLC collector https://www.ibm.com/docs/en/qradar-common?topic=disconnected-log-collector
The idea is to place that collector in a public subnet, with appropriate firewall and DDoS mitigation, have the clients/laptops log to it as their destination and then configure the output side of the log server to hit a QRadar EC or EP.
Original Message:
Sent: Mon June 16, 2025 03:11 AM
From: Vydenis Kucinskas
Subject: QRadar and Azure-Only Environments
Your solution sounds interesting. Could you please provide more information on how it can be implemented?
What type of intermediate log server should be used in this case?
What software can be used on this server to collect logs from WinCollect agents?
And how can those logs be forwarded from the intermediate server to QRadar?
BR
------------------------------
Vydenis Kucinskas
Original Message:
Sent: Wed June 11, 2025 08:07 AM
From: Rory Bray
Subject: QRadar and Azure-Only Environments
I don't think WinCollect is a non-option. All that WC needs is a Syslog (or TLS Syslog) destination for sending events. It doesn't have to send them directly to QRadar, it could be an intermediate log server in a public subnet within AWS/Azure/whatever that forwards to QRadar in a private subnet. WC will also do mTLS to help reduce the risks associated with a public-facing log server.
------------------------------
Rory Bray
Security and Compliance Architect, Threat Management
IBM
Original Message:
Sent: Wed June 11, 2025 05:41 AM
From: Vydenis Kucinskas
Subject: QRadar and Azure-Only Environments
Hi guys,
Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?
Situation:
The challenge lies in collecting logs from workstations (laptops) into the SIEM in fully cloud env.
Let's say we don't have an on-premises domain-only Azure AD-which rules out using Windows Event Forwarding (WinRM subscriptions) or WinCollect.
Our employees work both remotely and from various offices around the world. Each office is equipped with Wi-Fi, but network location is not the issue here-the main challenge is the complete absence of on-prem infrastructure.
The QRadar instance will be deployed in AWS but will not be publicly accessible, which further eliminates WinCollect as an option.
As far as I know there is solution to forward some logs from Windows Defender XDR to Event Hub and from there integrate event hub with QRadar. However, Defender XDR mostly sends only alerts, not raw data (security, application logs and etc.)
Collecting only alerts is not sufficient when it comes to forensic investigations, compliance, and comprehensive log collection - including security, application, and system logs. Our main goal is to collect full log data, not just alerts. In an on-premises environment, this is straightforward - you can collect everything you need. The challenge is achieving similar or equivalent log visibility in a fully cloud-based infrastructure.
There's also the theoretical solution of using Azure Monitor → Event Hub → QRadar. While I understand this flow in theory, we haven't tested it in practice, and I'm unsure what type of logs we'd be able to retrieve this way.
In typical on-prem environments, we collect security logs from workstations via WinRM. Without that setup, I'm uncertain how to proceed.
Has anyone encountered this issue and found a solution?
BR
Vydenis
------------------------------
Vydenis Kucinskas
------------------------------