IBM QRadar

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

------------------------------
Osama Ahmed
------------------------------

Hi,

From the snap it's clear that event name is same as LS name. If possible, could you please share config file content of wincollect agent? Don't forget to hide sensitive data in the file.

------------------------------
Abdul Quadeer

Original Message:
Sent: Fri February 28, 2025 12:23 AM
From: Osama Ahmed
Subject: Windows log forward to IBM Qradar using Wincollect

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

------------------------------
Osama Ahmed
------------------------------

Hi,

From the snap it's clear that event name is same as LS name. If possible, could you please share config file content of wincollect agent? Don't forget to hide sensitive data in the file.

------------------------------
Abdul Quadeer

Original Message:
Sent: Fri February 28, 2025 12:23 AM
From: Osama Ahmed
Subject: Windows log forward to IBM Qradar using Wincollect

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

------------------------------
Osama Ahmed
------------------------------

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

------------------------------
Osama Ahmed
------------------------------

Hello Osama,

first of all I red that the issue has been solved. Glad to hear that.

However I like to add some guidance to troubleshoot this issue if it happens again in the future. 

From the attached screenshot I can see that the Low-Level-Category is "Stored". 
In QRadar a Stored Event means that QRadar cannot understand or cannot properly parse the incoming event. The event is still written to disk and displayed.
Please try to also capture the High-Level-Category in the future. 
The reason for that is if the High-Level-Category is "Unknown" that would indicate that the event is collected and parsed, but cannot be mapped or categorized to a specific log source. The event will be associated with the SIM Generic log source.

In your case you should double click a stored event and compare the raw payload with the normalized field (the parsed events, e.g Source IP, Destination IP, ...). If you see that content is not properly extracted, you know that the event is not properly processed.
Double check if the auto-detected or manually added log source is correctly configured.

If the Log Source is correctly configured you can select the stored events in the Log Activity and under Actions open the DSM Editor. 
In the DSM Editor you can you can see how QRadar is parsing the event. Here you can either add properties and parse them properly or override system behavior for not properly parsed values. Additionally you can adjust the event mapping.

Following links to the official documentation:

1. High-level event categories
2. Low-level event categorie: Stored
3. Troubleshooting DSMs
4. DSM Editor Overview

I hope this helps for future events. 

Stay cyber resilient,
Sejid

------------------------------
Sejid Canoski
Technical Presales Consultant/Architect
TD SYNNEX Germany GmbH & Co. OHG
Munich

Original Message:
Sent: Fri February 28, 2025 12:23 AM
From: Osama Ahmed
Subject: Windows log forward to IBM Qradar using Wincollect

Hello all,

hope you all are doing well,

I have multiple PCs and laptops  from which I intend to send logs to QRadar using the WinCollect Agent in standalone mode. However, after configuring the agent to send logs to QRadar, restarting the WinCollect service, and applying a source IP filter in the Log Activity tab to monitor the logs, I find that the log source is not being added to QRadar.

and 2nd thing,if i added log source by manually then event name look like this  in attached picture

Could you provide guidance on troubleshooting this issue?

Your swift response will highly appreciated,

Regards,

Osama Ahmed

------------------------------
Osama Ahmed
------------------------------