IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  WinCollect tag added by Agent while using WEF

    Posted Thu November 21, 2024 10:25 AM

    Dear community,

    we are forwarding Windows events to QRadar using WEF:


    Windows Event Forwarding (WEF)

    The WinCollect agent can use the built-in Microsoft function Windows Event Forwarding (WEF). WEF reads any operational (i.e., security) or administrative (i.e., Sysmon) event log on a device in your organization and forwards the events that you choose to a Windows Event Collector (WEC) server. You can install the WinCollect agent on the WEC Server and collect from the forwarded event log. Before sending these forwarded events to QRadar, the agent packages them in such a manner so they appear as they are coming directly from each of the endpoints. QRadar Automatically creates log sources for each endpoint that is sending logs to the Windows Event Collector (WEC) server.
    It is working fine, but we have multiple WEC servers sending events form many source Windows servers.
    In QRadar all end servers are visible under separate Log Sources and that's what we want.
    We are looking for a way to get WEC server "tag" added to each event (without modifying identifier), so we still have events from each end device under separate Log Source, but we also have visibility what WEC server has collected the event and sent it to QRadar.
    Do you know if this is possible?
    We are using WinCollect Agents in Standalone mode in v10.
    Regards,
    Mateusz 


    ------------------------------
    Mateusz Wrobel
    ------------------------------


  • 2.  RE: WinCollect tag added by Agent while using WEF

    Posted Thu November 21, 2024 11:14 AM

    From the top of my head, I recall the option in WC10 to include the agent id when you define a destination, and in the log you will get something like this 

    <13>Nov 20 17:00:01 <HostID> AgentID=<WCagentHost> AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=WC.MSEVEN6.10.1.12.15    Source=Microsoft-Windows-Security-Auditing    Computer= ...

    ...thus having 1 agent for each WEC server (collecting forwarded events locally by agents) would eventually provide what you were looking for.



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 3.  RE: WinCollect tag added by Agent while using WEF

    Posted Tue November 26, 2024 03:20 AM

    Hi,

    I'm struggling with exact same issue and the above solution by @Dusan VIDOVIC would be perfect for us. The only issue is WC10 still not perfect for enterprise use. Is there any similar option for older versions?

    Thanks



    ------------------------------
    László Pál
    ------------------------------

    Original Message


  • 4.  RE: WinCollect tag added by Agent while using WEF

    Posted Wed November 27, 2024 02:45 AM

    Hello @Dusan VIDOVIC, thanks for response, unfortunately this option is not working. We tried this but there is still both <HostID> and AgentID set to original server hostname.

    I will try to report this to IBM support as a bug, but from what I know someone from my team tried it before and they were not able to fix it nor admit a bug.

    Regards



    ------------------------------
    Mateusz Wrobel
    ------------------------------

    Original Message


  • 5.  RE: WinCollect tag added by Agent while using WEF

    Posted Wed November 27, 2024 03:03 AM

    You mentioned: "We are looking for a way to get WEC server "tag" added to each event (without modifying identifier), so we still have events from each end device under separate Log Source, but we also have visibility what WEC server has collected the event and sent it to QRadar."

    The Host ID is basically your log source identifier. The message still follows a standard format <PRIORITY> DATE&TIME HOSTNAME ; without the HOSTNAME (Host ID) the logs coming from different systems could not be attributed to own/separate log sources.
    I imagine the case when the Host ID and the WC Agent ID would be same is for the logs collected from the Windows server hosting the WC Agent (not the forwarded section).



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 6.  RE: WinCollect tag added by Agent while using WEF

    Posted Wed December 04, 2024 04:04 AM

    Hello guys,

    we have resolved this problem, so wanted to let you know about it.

    Option "Include Agent ID" is working, but you need to define it in a bit different way:
    we have changed the IncludeAgentID = "true" to -> IncludeAgentID = "<WCAgentHost>" and it started to work as expected.

    Regards,

    Mateusz



    ------------------------------
    Mateusz Wrobel
    ------------------------------

    Original Message


Related Content