thanks for your reply, yes i have multiple hosts in different networks where i need the hostname and IP in the description,but i don't needd to edit bilk of log sources ihave wincollect need to install on some windwos machines so i'll use the script to install it on all machines , but the script only use the host name, can i modify the script to make it use the hostname and the ip .
c:\wincollect-7.3.1-22.x64.exe /s /v"/qn INSTALLDIR=\"C:\Program Files\IBM\WinCollect\" AUTHTOKEN=fad4d0e5-588a-44a3-89ef-7a37e4b0b477 FULLCONSOLEADDRESS=10.99.11.160:8413 HOSTNAME=%COMPUTERNAME% LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=true&Component1.Destination.Name=NBKwincollect&Component1.RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=Typical+Server&Component1.MinLogsToProcessPerPass=500&Component1.MaxLogsToProcessPerPass=750"""
Original Message:
Sent: Thu March 07, 2024 10:56 AM
From: Jonathan Pechta
Subject: wincollect script
@osama ahmed
The WinCollect agent when you install it must use either the hostname or the IP address. The log sources that are auto discovered can be modified as to how they auto discover in the user interface. For example, there are template fields that allow you to define variables that can be used to set the log source name. In the DSM Editor, if you open the Microsoft Windows Security Event Log DSM, then click the Configuration tab, these values are displayed. I'm going to list the options below from the UI:
Template for setting the name of the selected log sources. The following variables are available:
$$NAME$$ The name of the log source.
$$DESCRIPTION$$ The description of the log source.
$$SOURCE_ADDRESS$$ The Log Source Identifier.
$$LOG_SOURCE_TYPE$$ The log source type name.
$$PROTOCOL_TYPE$$ The log source protocol type name.
$$TARGET_EVENT_COLLECTOR$$ The event collector name.
$$DISCONNECTED_LOG_COLLECTOR$$ The disconnected log collector name.
Optionally, you if select and edit one or more log sources you can also change the template. If this is something you need for all log sources, you can use the DSM Editor to customize how the name autodiscovers in QRadar.
Not sure if this solves your issue, but let us know if you have follow-up questions.
Edit: Also, just to add to this I'd be interested in heading what this use case is. Do you have multiple hosts in different networks where you'd need the hostname and IP in the description? For example, WindowsAD@x.x.x.x and WindowsAD@y.y.y.y where you want to ensure they are visibly different. I will also note, you can put in custom text too, the issue I mentioned where a user logged a case as they were asking about bulk editing the template names was adding values as customerName@ $$LOG_SOURCE_TYPE$$ @ $$SOURCE_ADDRESS$$. This is something we are looking in to currently to replicate, but wanted to mention it in case you see the LSM app seems to run on endlessly when bulk editing the named template with customized text.
------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
Original Message:
Sent: Wed March 06, 2024 09:23 AM
From: osama ahmed
Subject: wincollect script
hello all
i want to install wincollect7 using the command line but when the log source created on Qradar it created wincollect@hostname
but in need to create it wincollect@hostname@ip
------------------------------
osama ahmed
------------------------------