IBM Security QRadar

I have a customer who would like to use a script to test that their windows machines are properly configured for WinCollect before setting it up via bulk load in the Log Sources on the Admin tab.

For example, they can go in using the service account to check if they can see logs on the target machine's remote event viewer. But they'd like to check that for the 100's of machines that they need to set up.

Has anyone here ever put together a script to test this out?

------------------------------
Amy Smith
Executive Cloud Security Architect
IBM
Alexandria, VA
+1 571 302 1016
------------------------------

I would like to ENTHUSIASTICALLY second this request with a small additon.  If the script could confirm and report that the agents were set for pushing their logs to the WinCollect Server or being polled for their logs and needing a subscription on the WinCollect server. 

Thanks,

------------------------------
_____________________
Daniel Sichel
------------------------------

Original Message:
Sent: 12-18-2018 12:07 PM
From: Amy Smith
Subject: Script to test Windows set up properly for WinCollect?

I have a customer who would like to use a script to test that their windows machines are properly configured for WinCollect before setting it up via bulk load in the Log Sources on the Admin tab.

For example, they can go in using the service account to check if they can see logs on the target machine's remote event viewer. But they'd like to check that for the 100's of machines that they need to set up.

Has anyone here ever put together a script to test this out?

------------------------------
Amy Smith
Executive Cloud Security Architect
IBM
Alexandria, VA
+1 571 302 1016
------------------------------

I wonder if there are any super-smart Windows people out there who have already taken a whack at this? Anybody?

------------------------------
Amy Smith
Executive Cloud Security Architect
IBM
Alexandria, VA
+1 571 302 1016
------------------------------

Original Message:
Sent: 12-19-2018 10:11 AM
From: Daniel Sichel
Subject: Script to test Windows set up properly for WinCollect?

I would like to ENTHUSIASTICALLY second this request with a small additon.  If the script could confirm and report that the agents were set for pushing their logs to the WinCollect Server or being polled for their logs and needing a subscription on the WinCollect server. 

Thanks,

------------------------------
_____________________
Daniel Sichel

Original Message:
Sent: 12-18-2018 12:07 PM
From: Amy Smith
Subject: Script to test Windows set up properly for WinCollect?

I have a customer who would like to use a script to test that their windows machines are properly configured for WinCollect before setting it up via bulk load in the Log Sources on the Admin tab.

For example, they can go in using the service account to check if they can see logs on the target machine's remote event viewer. But they'd like to check that for the 100's of machines that they need to set up.

Has anyone here ever put together a script to test this out?

------------------------------
Amy Smith
Executive Cloud Security Architect
IBM
Alexandria, VA
+1 571 302 1016
------------------------------

Hi Amy,
we were going to develop a powershell script for this a year ago, but since wincollect had importent issues, we decided to install the splunk Agent, and forward the logs from splunk to Qradar instead.

This way the operations teams can have their logs in splunk, and we can forward security logs to Qradar.

I know that wincollect as a newer version (7.2.8 fix1) that seems more stable. We might reconsider installing the agent in a few months. If we do, we'll be back to comment here.

Good luck!




------------------------------
Anthony Gayadeen
------------------------------

Original Message:
Sent: 12-18-2018 12:07 PM
From: Amy Smith
Subject: Script to test Windows set up properly for WinCollect?

I have a customer who would like to use a script to test that their windows machines are properly configured for WinCollect before setting it up via bulk load in the Log Sources on the Admin tab.

For example, they can go in using the service account to check if they can see logs on the target machine's remote event viewer. But they'd like to check that for the 100's of machines that they need to set up.

Has anyone here ever put together a script to test this out?

------------------------------
Amy Smith
Executive Cloud Security Architect
IBM
Alexandria, VA
+1 571 302 1016
------------------------------