IBM QRadar

WinCollect Agent 7.3.0-41 (x64)

When collecting logs via WinCollect from computers with multiple network interfaces WinCollect obviously uses the IP of a randomly selected network interface to populate the OriginatingComputer property of the log message.

The OriginatingComputer property is mapped to the Source and Destination IP property used within Qradar. This results in events wih wrong source and destination addresses, i.e. you cannot distinguish what network the computer was connected to while the log was created.

Example:

<13>Dec 16 12:27:47 <IDENTIFER> AgentDevice=WindowsLog AgentLogFile=System PluginVersion=7.3.0.41 Source=Microsoft-Windows-GroupPolicy Computer=xxx.yyy.ccc.de OriginatingComputer=192.168.2.30 User=XXX Domain=XXX EventID=1501 EventIDCode=1501 EventType=4 EventCategory=0 RecordNumber=65426 TimeGenerated=1608118065 TimeWritten=1608118065 Level=Informational Keywords=0x8000000000000000 Task=None Opcode=Start Message=Die Gruppenrichtlinieneinstellungen für den Benutzer wurden erfolgreich verarbeitet. Es wurden keine Änderungen seit der letzten erfolgreichen Gruppenrichtlinienverarbeitung erkannt.

The IP 192.168.2.30 is only a local interface and is not the IP of the interface that is used to communicate with the corporate network.

Use below article

L [localIP]Use this setting to select the IP address that is displayed for all log sources on systems with multiple network interface cards (NIC).

For example, installerhelper.exe -L 192.0.2.0

-O [OrigComputer]Use this setting to select the IP address that is displayed for Windows events on systems with multiple NICs.

For example, installerhelper.exe -O 198.51.100.0

https://www.ibm.com/docs/en/qradar-on-cloud?topic=SSKMKU/com.ibm.wincollect.doc/c_ug_wincollect_change_config.html