IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Windows Forwarded Events Information

    Posted Thu November 22, 2018 10:30 AM

    Greetings All,
    Does QRadar support XPath Query for forwarded events?

    Below link from QRadar states that XPath queries cannot filter Windows Forwarded Events.

    https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.wincollect.doc/c_ug_wincollect_xpathqueryexamples.html

     

    In the Windows Event Collector LDN-P-EVTCOL01 there are 2 subscriptions.

    • Ares-DomainControllerSecLog
    • PaloAlto

    Windows Event Collector LDN-P-EVTCOL01 there are 2 subscriptions. • Ares-DomainControllerSecLog • PaloAlto

    Subscription: Ares-DomainControllerSecLog the Destination Log is "Ares-EventForwarding/ Ares-Domain_Controllers".

    Subscription: Ares-DomainControllerSecLog the Destination Log is

    Subscription: PaloAlto the Destination Log is "Forwarded Events".
    Subscription: PaloAlto the Destination Log is

    In QRadar Log Sources, there is not anywhere I can define "Ares-DomainControllerSecLog" and from the link I provided, XPath Query for forwarded events are not supported.

     Thanks in Advance.



    ------------------------------
    Hemant Kumar
    ------------------------------


  • 2.  RE: Windows Forwarded Events Information

    Posted Tue November 27, 2018 06:47 PM

    We do not support XPath queries for data from the Forwarded log in the Windows Event Viewer. Events that are written using subscriptions (forwarded logs) require a log source that has the 'Forwarded' event type check box selected.  

    If you have a situation where you have a subscription that is writing events in to a specific file, as the case with your DC's then we would likely suggest that you put a local agent on each of these domain controllers and create a local log source with an XPath Query to the ADFS log you want to capture.

    The reason for this recommendation is that each check box you select in the log source is a unique API query using the Windows Event Collection protocol. When you create a log source that has a check box for Security, Application, System, XPath, and Forwarded, it is actually creating 5 unique queries to (or more depending on what is in the xpath XML) to collect data. The Forwarded check box queries the Forwarded event log directly by name, so unless your events are in the Forwarded log, they will need a standard event viewer log that is a non-subscription type. So, the recommendation for your issue is to put an agent on the domain controller and have it pull the local ADFS logs to send to QRadar.

    Let me know if you have any follow-up questions. I did confirm this information with the WinCollect product owner. 



    ------------------------------
    Jonathan Pechta

    -----
    QRadar Support Content Lead
    Atlanta, GA
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: Windows Forwarded Events Information

    Posted Wed November 28, 2018 05:56 AM
    If you really want to use windows evenforwarding to centralize the logs , so you can forward them with GPO settings

    What you could do is create an subscription that puts the forwarded events not in " forwarded events " but dumps them in the " application logs"  then you can use an xpath query to get the logs from the application logs and only get the eventids appropriate for your use.

    We use that with some sysmon logs so that you can get them in one logsource and not in seperate logsources like with the forwarded logs (i've heard the wincollect 7.2.9 you can change that behaviour)

    ------------------------------
    Martijn Groenewegen
    ------------------------------

    Original Message


  • 4.  RE: Windows Forwarded Events Information

    Posted Thu November 29, 2018 09:29 AM
    Can you point me to document that details exactly which GPO settings are required to enable log forwarding from a Windows server to a WinCollect server?  If not, would you be willing to provide that information here?  I have some GPO created subscriptions but do not know if they are entirely correct, and I would like to have documentation of how to do  that. 

    I would like to forward, security, system, and application logs if I can.  Right now, I am only able to forward security logs by GPO.

    Thank you for your input on this topic to date, and thanks for any additional pointers you may be able to provide. 


    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------

    Original Message


  • 5.  RE: Windows Forwarded Events Information

    Posted Mon December 10, 2018 09:45 AM
    I dont really have documentation apart from my own searchs on configuring it. maybe have a look at https://www.logbinder.com/Products/Supercharger/ it has some nice documentation and guides you trouh the gpo's you need to create i think

    ------------------------------
    Martijn Groenewegen
    ------------------------------

    Original Message


Related Content