IBM Security QRadar

Expand all | Collapse all

WinCollect did not forward all Event Data

  • 1.  WinCollect did not forward all Event Data

    Posted 3 days ago
    Hi,

    We would like to send the event data of the logs "Base-Filtering-Engine (BFE) Connections Operational" and "WinNat" to QRadar. The data arrives at QRadar. However, only the data that is visible in the event log under General. We do not receive the data that is visible in the event log under Details. But we need detailed data. Is this possible and how to configure it?

    Thanks very much,

    Peter

    ------------------------------
    Peter Fischer
    ------------------------------


  • 2.  RE: WinCollect did not forward all Event Data

    Posted 3 days ago
    Hi Peter
    not sure what "details" you are receiving. Payload should show You everything ! From there you proceed using all windows properties you want and define what's left in DSM edit. Make sure you got windows content packages installed from App exchange.
    BR Karl

    ------------------------------
    Karl-Heinz Jaeger
    senior consultant
    pro4bizz GmbH
    Karlsruhe
    +4972190981722
    ------------------------------



  • 3.  RE: WinCollect did not forward all Event Data

    Posted 3 days ago
    Hi Karl

    The problem is, we don't have all Information in payload. For example:
    On the Server in register details are more informations:
    The informations RemoteMachineAccount and RemoteUserAccount are intresting for us.
    The WinCollect does not send the relevant information. We have checked this with tcpdump.

    It's possible to config WinCollect to send the "EventData" also?

    Thank you very much,

    Peter

    ------------------------------
    Peter Fischer
    ------------------------------



  • 4.  RE: WinCollect did not forward all Event Data

    Posted 2 days ago
    Hi Peter,

    What transport protocol (UDP or TCP) are you using to send the events from WinCollect to QRadar? QRadar by default truncates UDP messages at 1 KB and TCP syslog evenst at 4KB, though both can be adjusted in System Settings. And actually I believe WinCollect itself will truncate at 1kB for UDP before sending.

    If you're using UDP, I suspect the event is being truncated. Those Event Data values are generally injected into a format string and included in the "Message" field, which is always the last field in the event, but in your screenshot above the "Message" value is just "New Connection", but I would expect a much more verbose message for most Windows events. So it's probably just getting cut off.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: WinCollect did not forward all Event Data

    Posted 2 days ago

    Hi Colin.

    Thank you for your message. We have controlled with tcpdump. The transport protocol is TCP. We have configured 16kb and increased this to 24kb. Unfortunately without succes.

    Cheers

    Peter



    ------------------------------
    Peter Fischer
    ------------------------------