IBM Security QRadar

Hello experts,

How can I configure Wincollect to read logs from an application installed on a Windows host? 

For example, I have an application "app1" that send its logs to a particular directory called C:\programs\app1\. How do i configure Wincollect to forward these logs to QRadar SIEM.?

Thank You.


------------------------------
benlinux
------------------------------

please follow the following link... in your case, you need first to create a new device type using the DSM editor or you can use the Universal DSM in log source configuration.


Then, Create New log source:
set the Device Type to Universal DSM, or you can build new device type before start adding the log source as mentioned before.

Then select the protocol type as below:

Then you need to configure local collection as below (third configuration screen)

set the parameter as in the link provided.

------------------------------
ahmad zuhd
------------------------------

Original Message:
Sent: Wed September 08, 2021 02:54 PM
From: benlinux
Subject: How to use Wincollect to read Application logs

Hello experts,

How can I configure Wincollect to read logs from an application installed on a Windows host? 

For example, I have an application "app1" that send its logs to a particular directory called C:\programs\app1\. How do i configure Wincollect to forward these logs to QRadar SIEM.?

Thank You.


------------------------------
benlinux
------------------------------

Original Message:
Sent: 9/9/2021 1:56:00 AM
From: ahmad zuhd
Subject: RE: How to use Wincollect to read Application logs

please follow the following link... in your case, you need first to create a new device type using the DSM editor or you can use the Universal DSM in log source configuration.


Then, Create New log source:
set the Device Type to Universal DSM, or you can build new device type before start adding the log source as mentioned before.

Then select the protocol type as below:

Then you need to configure local collection as below (third configuration screen)

set the parameter as in the link provided.

------------------------------
ahmad zuhd
------------------------------

Original Message:
Sent: Wed September 08, 2021 02:54 PM
From: benlinux
Subject: How to use Wincollect to read Application logs

Hello experts,

How can I configure Wincollect to read logs from an application installed on a Windows host? 

For example, I have an application "app1" that send its logs to a particular directory called C:\programs\app1\. How do i configure Wincollect to forward these logs to QRadar SIEM.?

Thank You.


------------------------------
benlinux
------------------------------

As Ahmad mentioned, you can start with the DSM editor to create a new custom log source type for your app. I recall utilizing SMBtail protocol to read the logs from the file the custom app writes to; lowest polling interval is 10s and should be OK for near real-time ingestion/detection. Make sure to set the access to the file appropriately. For SMBtail you might need to play a bit with the regex to have the adequate file name pattern the LSM app accepts. Also, there is the option Force File Read which is turned on by default - but you would probably want to change that (when OFF, the log file is read only when QRadar detects a change in the modified time or file size  which would avoid repeated reading of previously ingested data)

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed September 08, 2021 02:54 PM
From: benlinux
Subject: How to use Wincollect to read Application logs

Hello experts,

How can I configure Wincollect to read logs from an application installed on a Windows host? 

For example, I have an application "app1" that send its logs to a particular directory called C:\programs\app1\. How do i configure Wincollect to forward these logs to QRadar SIEM.?

Thank You.


------------------------------
benlinux
------------------------------

This link would be helpful for using DSM editor.
https://www.ibm.com/docs/en/qsip/7.3.3?topic=administration-processing-event-data-in-qradar

------------------------------
Brian Kwak
------------------------------

Original Message:
Sent: Wed September 08, 2021 02:54 PM
From: benlinux
Subject: How to use Wincollect to read Application logs

Hello experts,

How can I configure Wincollect to read logs from an application installed on a Windows host? 

For example, I have an application "app1" that send its logs to a particular directory called C:\programs\app1\. How do i configure Wincollect to forward these logs to QRadar SIEM.?

Thank You.


------------------------------
benlinux
------------------------------