We have installed a managed wincollect on a windows host. It seems the installation went well. The agent definition and the log sources are automatically created in QRadar.

QRadar also receives the heartbeat from the windows host. However, it seems the windows host does not send any event data. I ran tcpdump on qradar but it seems there is no event data receives on QRadar

QRadar version is 7.4.0 Fixpack 4

Wincollect 7.2.9 build 105

Any help will be appreciated.

Thanks a lot for your help

Hey there Hans,

Check the Wincollect.log file for additional information to see if the events are actually being collected by the agent and if you are seeing any error. Usually this kind of things would happen due to a misconfiguration of the wincollect agent or a block in the firewall. Verify communications, the collection of data and the configuration to see that the destination has been put properly. Make sure that both ports 514 and 8413 are open towards the relevant collector.

There are three parts to the wincollect process

1. event collection
2. sending the logs via syslog
3. receiving and parsing of the logs in qradar

Hope I helped! :)

Thanks for responding.

It seems the connections are fine.

I saw the following error in wincollect.log:

07-21 13:42:12.862 INFO Code.ConnectionFactory : Initializing ConnectionFactory...

07-21 13:42:12.862 INFO System.ComponentFactory : Service ConnectionFactory v7.2.9 initialized

07-21 13:42:12.862 WARN Code.DestinationManager : There are no active destinations specified in the config file, therefore all results will be discarded.

07-21 13:42:12.877 INFO System.ComponentFactory : Service DestinationManager v7.2.9 initialized

07-21 13:42:12.877 INFO Code.PayloadRouter : Using 3 router threads.

07-21 13:42:12.877 INFO Code.PayloadRouter : Using stats sweep period of 30 seconds.

07-21 13:42:12.877 INFO System.ComponentFactory : Service PayloadRouter v7.2.9 initialized

07-21 13:42:12.877 INFO Device.Windows2008EventCollector : Windows2008 Event Collector 7.2.9.105 initialized, enabled

07-21 13:42:12.877 INFO System.ComponentFactory : Service Windows2008EventCollector v7.2.9 initialized

07-21 13:42:12.877 INFO Device.Service.DeviceWindowsLog : Initializing...

07-21 13:42:12.877 INFO Device.Service.DeviceWindowsLog : WindowsLog Device Service initialized, 0 devices activated out of 0

07-21 13:42:12.877 INFO System.ComponentFactory : Service DeviceWindowsLog v7.2.9 initialized

I suspected the "bolded" text are the cause of the issue. But not sure how to fix it.

Kind Regards

Hey there Hans,

There are no active destinations specified in the config file

This shows that the destination set in the config file (during the agent installation) isn't reachable. Either because the destination was put incorrectly or there is a firewall blocking the communication. When putting the destination in the installation wizard, which ip address did you use? (You should be using the console address)

I highly recommend using the following video as an instructional video for the set up:

https://www.youtube.com/watch?v=qH_yiKfhUHY

Port 514 and 8413 are opened between the windows host and QRadar environment.

I used IP address of event collector as the destination. I tried to use IP address of the console, but it did not automatically created the log source.

Thanks a lot for your help

Hey there Hans, you should use the ip address of the console and then manually configure the wincollect to see if it helps. Anyways, I'd reinstall the agent this time with the console ip address as the destination and check the wincollect.log to see if anything has changed.

The problem most likely sits with the configuration of the wincollect wizard. Do you have any other wincollects on the same client that you might be able to copy the configuration from?

Hi Gideon,

Thanks a lot for your help.

We ended up opening a service ticket with IBM, and we found out that there is a bug in the event collector. We used event collector as the management server, and it turns out it sets a "dirty" flag to true which never reset to false. This make the update is never sent to the windows host.

Once we reset the dirty flag to false manually (using psql), the event are flowing fine.

We also need to change the management server to the qradar console appliance, to ensure the future update is deployed on to the windows host.

I believe IBM development is investigating this issue. But for the time being we cannot use event collector appliance as the management server.

Kind Regards,