IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  WinCollect TLS connection

    Posted Wed August 26, 2020 02:06 PM

    Hi guys,

    I'm trying to deploy a WinCollect agent using TLS protocol. The installation and log source deployment runs smoothly, however, no events get to the Console. I keep on receiving the Error 10061:

    Cannot connect to server -- Error code 10061: A connection can't be established. The destination host denied the connection.

    I'm using WinCollect 7.3.0

    Regards,

    Gabriel Crespo



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: WinCollect TLS connection

    Posted Thu August 27, 2020 09:37 AM

    Hello

    From the WinCollect machine, can you connect to the remote server using event viewer? and see if it goes through? and on WinCollect machine check the logs for error messages

    T&R



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: WinCollect TLS connection

    Posted Thu August 27, 2020 10:04 AM

    Hi,

    there's no remote server. The WinCollect agent is installed on the server that generates the logs. The problem is not reading the log messages, is sending them to the Console.

    Regards,

    Gabriel Crespo



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: WinCollect TLS connection

    Posted Thu August 27, 2020 11:21 AM

    Hello,

    Any errors on C:\Program Files\IBM\WinCollect\logs\. The log file is named WinCollect.log


    T&R



    #QRadar
    #Support
    #SupportMigration


  • 5.  RE: WinCollect TLS connection

    Posted Thu August 27, 2020 01:03 PM

    Hi,

    The error I posted in the first message are from WinCollect.log


    Cannot connect to server -- Error code 10061: A connection can't be established. The destination host denied the connection.


    Regards,

    Gabriel Crespo



    #QRadar
    #Support
    #SupportMigration


  • 6.  RE: WinCollect TLS connection

    Posted Fri August 28, 2020 12:44 PM

    hey,


    Can you change to Syslog over 514 tcp/udp instead of tls and give it a try and see if your receiving logs? if it works you can narrow it down to an TLS issue


    The guide below shows the config of required TLS settings

    https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.wincollect.doc/b_wincollect.pdf?origURL=SS42VS_7.3.2/com.ibm.wincollect.doc/b_wincollect.pdf


    T&R



    #QRadar
    #Support
    #SupportMigration


  • 7.  RE: WinCollect TLS connection

    Posted Fri August 28, 2020 01:09 PM

    Hi,

    There is no problem when using TCP/UDP. It's abviously a TLS problem. It looks like Qradar is not allowing any connection on port 6514 although the log source is configured.


    Regards,

    Gabriel Crespo



    #QRadar
    #Support
    #SupportMigration


  • 8.  RE: WinCollect TLS connection

    Posted Sat August 29, 2020 06:40 AM

    Hello,

    I saw your response on email but for some reason its not updated here.

    Error code 10061 usually is a an indication that the TLS versions are not negotiated properly, can you check on your system if the TLS versions are correctly configured? and also on QRadar

    https://www.ibm.com/support/pages/wincollect-how-enabledisable-tls-communication-options-qradar

    T&R



    #QRadar
    #Support
    #SupportMigration