IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Wincollect File Forwarder Issue

    Posted Tue December 01, 2020 03:41 AM
    Hello all,
    Wish you a Good Day,

    Kindly I would like to ask about an Issue appeared to me as I use a Qradar v 7.3.3 Fixpack 3 and i want to get the Logs of the Oracle DB (raised on windows server) and the DB Retrieves it's logs in a file on this server so, I installed Wincollect in the Server and I used the Wincollect file forwarder Protocol to get the Logs from this file i followed the Steps that was found in the DSM Guide but the integration failed and there is no logs com to Qradar from this file is there another thing I should check about or is there another work around that make me get these logs from this files and kindly be informed that i was using Wincollect version 7.2.9.

    Kindly any one help me with this issue ASAP.
    Thanks.

    ------------------------------
    Moustafa Salah
    ------------------------------


  • 2.  RE: Wincollect File Forwarder Issue

    Posted Wed December 02, 2020 03:01 AM
    Hi Moustafa,

    I recommend checking if the path doesn't have special characters, because this happened to me when I had a "-"( e.g. "C:\logs-from-system\"), WinCollect didn't read files, so we removed the special characters and kept a folder with a common name.
    See if that helps you.

    Best regards,

    ------------------------------
    Kiril Bonev
    System Specialist
    CNsys PLC
    ------------------------------

    Original Message


  • 3.  RE: Wincollect File Forwarder Issue

    Posted Wed December 02, 2020 03:29 AM
    Hello Kiril,

    Thank you Four your Reply, and if you know any thing else that I can check about it or it can make an issue, Please inform me because the Name of the Folder does not contain any special characters .

    Thank you.

    ------------------------------
    Moustafa Salah
    ------------------------------

    Original Message


  • 4.  RE: Wincollect File Forwarder Issue

    Posted Wed December 02, 2020 03:43 AM
    Hello Moustafa,

    Unfortunately, I have no specific idea if this is not the case.
    You can try to track for errors in the WinCollect.log file, is located in the "C: \ Program Files \ IBM \ WinCollect" folder.
    If it is very urgent, I would recommend that you open a support case with IBM.

    Regards,

    ------------------------------
    Kiril Bonev
    System Specialist
    CNsys PLC
    ------------------------------

    Original Message


  • 5.  RE: Wincollect File Forwarder Issue

    Posted Mon December 14, 2020 03:32 AM
    Hello All,

    Kindly i would like to ask if there is a required ports need to be open for these logsources, or there are any thing else need to be checked to confirm that everything is okay

    Thank you.

    ------------------------------
    Moustafa Salah
    ------------------------------

    Original Message


  • 6.  RE: Wincollect File Forwarder Issue

    Posted Tue December 15, 2020 01:19 PM

    Hi Moustafa,

    WinCollect agents send events to QRadar to port 514, unless they've been configured to use TLS Syslog, in which case it would be an alternate listen port.

    Managed agents (those installed with a Configuration Server set) also talk to QRadar via an encrypted management channel, which QRadar listens for on port 8413. If you installed your agent as a manged agent, you need to ensure it has line-of-sight to both port 514 and port 8413 on the target QRadar host. If it's an unmanaged agent, meaning you configure the agent directly, you only need access to 514.

    Your original post said you used the WinCollect File Forwarder protocol, which suggests you configured your log source on the QRadar side. This is for managed agents only, so you should check this file on your Windows system to verify that the ConfigurationServer property is set to a QRadar host which your agent can reach on 8413: C:\Program Files\IBM\WinCollect\config\install_config.txt

    If the agent is properly connecting to QRadar for mangement purposes, it should have downloaded an AgentConfig.xml file to the same directory that contains your File Forwarder configuration. If the config file does not have this info, it means the agent is not getting config updates from QRadar, which likely means you have something misconfigured, but if you can't figure out what, you should contact support.

    Cheers
    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 7.  RE: Wincollect File Forwarder Issue

    Posted Wed December 16, 2020 06:11 AM
    Hello Colin Hay,

    Kindly be informed that i tried this configuration into two Deferent Windows Servers and it worked fine with one and not working with the Other so, is there any restriction in the Server Side or any boundaries could be the root cause of this issue. 

    And kindly be informed that the Agent is Managed Wincollect and it working fine and sending Events to Qradar



    ------------------------------
    Moustafa Salah
    ------------------------------

    Original Message


  • 8.  RE: Wincollect File Forwarder Issue

    Posted Wed December 16, 2020 10:21 AM
    Hi Moustafa,

    At this point I think you need to create a support case. If your agent is properly communicating with QRadar from a management perspective and is successfully sending other events to QRadar, it seems you have it setup correctly for the most part. There seems to be a specific problem with your file forwarder configuration, but to know what, one would need to inspect the config and examine the agent logs.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


Related Content