Per Creating a remote source - IBM Documentation and WinCollect 10: Bulk configuring windows events from 100 endpoints, what are the minimum rights and permissions needed to successfully connect to remote sources and pull logs?  What protocol is used to pull the logs from remote sources, and can it be encrypted with TLS, like how a WinCollect 10 can forward its logs via syslog over TLS?

YouTube		remove preview
WinCollect 10: Bulk configuring windows events from 100 endpoints View this on YouTube >

Thanks!

------------------------------
Tom L
------------------------------

Typically, as long as the user is a member of the Event Log Readers group, then they should have permissions to remotely poll for any data from the Event Viewer. WinCollect uses a Microsoft protocol called the "EventLog Remoting Protocol (v6)" to collect events remotely over RPC, which is controlled by the local security policy in Windows for standard event types, such as live events in the Windows Event Viewer. However, there are other protocols in WinCollect that can read file .log files for log source types, like DHCP or IIS that use SMB. This answer gets tricky on certain protocols as some hosts might be more locked down than others based on policy. This is why the documentation typically states that you must have Event Log Readers as it is the most common group that has permission to access MSEVEN6 data over RPC. However, if you are remote polling across a domain, you might need much higher permissions like a domain admin, which is typically frowned upon in most circles. There is no great answer here as the answer is "it depends". 

MSEVEN6 is encrypted and you can check out the spec here if you want to dig further. WinCollect polls for the events over MSEVEN6, converts the data to Syslog events, then if TLS is required, the data is sent to QRadar over TLS or standard Syslog depending on how you have your destination configured. 

General data flow for remote polling:
1. WinCollect polls over MSEVEN6 for data -->2. RPC data returned --> 3. WinCollect creates a Syslog payload --> 4. Destination defines how the data is sent to QRadar (IP and protocol, such as TLS, TCP, UDP). 

I'm not sure if I covered what you are looking for. The best option is to try with Event Log Readers group. If you need to go higher and use something like, "Manage Auditing and Security Logs".

You can test permissions by opening the Event Viewer, selecting Connect to Remote Computer, then entering credentials. This info is covered in the Error Code 5: Access is denied tech note as it is a good test for permissions between where WinCollect is installed and the remote host you are trying to remotely poll. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Thu July 27, 2023 08:20 PM
From: Tom L
Subject: WinCollect 10 Remote Source Credentials

Per Creating a remote source - IBM Documentation and WinCollect 10: Bulk configuring windows events from 100 endpoints, what are the minimum rights and permissions needed to successfully connect to remote sources and pull logs?  What protocol is used to pull the logs from remote sources, and can it be encrypted with TLS, like how a WinCollect 10 can forward its logs via syslog over TLS?

YouTube		remove preview
WinCollect 10: Bulk configuring windows events from 100 endpoints View this on YouTube >

Thanks!

------------------------------
Tom L
------------------------------