You can provide xpath queries in unmanaged wincollect using a few options:
installs with command line strings, especially suggest conversion to
base 64 for the xpath strings for this. I have used large filter sets
powrshell and sysmon this way.
or leverage wincollect templates to do so
or stop service edit agentconfig.xml files on systems and restart service.
Using a test host with wincollect UI to create install strings is
useful. Note most of the above is more wincollect 7 (pre 10) focused.
For WEF, the config is on the windows side and the target server is
configured to fwd collected events and that lies in MS Event
Subscriptions to send Sysmon, etc.
Al
Original Message:
Sent: 2/22/2022 1:24:00 PM
From: Ben McHarg
Subject: RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection
Thanks for the reply. Some additional information that my help. I have a Windows 10 machine in my lab and I have WinCollect installed in managed mode. The log source auto created and is working properly. Sysmon was then installed and configured. I'm do not even seeing an option in the log source configuration on the console to use an XPATH query. Documentation seems to point to using WEC and or syslog forwarding only unless WinCollect is setup in Stand-a-Lone mode.
------------------------------
Ben McHarg
------------------------------
Original Message:
Sent: Fri February 18, 2022 03:25 PM
From: Ashish Khandewale
Subject: Wincollect Powershell/Sysmon/Taskscheduler logs collection
yes you can certainly collect sysmon logs with managed wincollect agent. You would need to deploy sysmon on endpoints and create log source with XPATH query so wincollect can fetch logs
------------------------------
[Ashish] [Khandewale] [Security Consultant]
[SIOC]
[IBM Canada]
Original Message:
Sent: Thu February 17, 2022 03:33 PM
From: Ben McHarg
Subject: Wincollect Powershell/Sysmon/Taskscheduler logs collection
Hello, Can someone confirm if we can collect sysmon events with a managed WinCollect Agent Deployment. I'm reviewing documentation now. Thanks.
------------------------------
Ben McHarg
Original Message:
Sent: Fri May 08, 2020 12:50 PM
From: Juan Paulo
Subject: Wincollect Powershell/Sysmon/Taskscheduler logs collection
Hi Akash at least you'll need to do the following:
Also Jose Bravo has several youtube videos about it: https://www.youtube.com/watch?v=Xl31zNp4YUY&list=PLHh9jhztlMyrlWsozcrUEOvByfLJvRBDy
Have fun
------------------------------
Juan Paulo
IBM
Santiago
Original Message:
Sent: Thu May 07, 2020 04:29 AM
From: Akash Bhardwaj
Subject: Wincollect Powershell/Sysmon/Taskscheduler logs collection
Can wincollect collect the Powershell/Sysmon/Taskscheduler logs from windows systems? is there any document or steps availble to configure as nothing realted found in wincollect guide
------------------------------
Akash Bhardwaj
------------------------------