IBM Security QRadar

 View Only
  • 1.  WinCollector - DLC - QRADAR

    Posted Thu June 18, 2020 08:20 PM
    Hello Dears,

    As we know, DLC doesn't store any logs , only forward them to Qradar. If i need store logs on the client site, what i need ?

    Scenario 1

    1000 PCs - Windows machines. Installed WinCollect (with CA)
    Logs from these machines forwarding to Disconnected Log Collector (which installed on client site).
    Will communicate Wincollect with Disconnected Log Connector ? Are they support communicate ?
    DLC forwarding logs from these 1000 Windows machines to Qradar for Correlation.
    On Qradar site, we don't store any logs, only correlation. But Client need store events for a 90-180 days. Which solution you can advise ?
    Will we need install DataStore Node on a client site, and after the correlation , transfer all logs to datastore (which will install on client site)
    So, how i can store the event data on client site ? Will i need DataStore Node ?

    Or, you can gave the best solution for this task.

    Priority - All events need to be encrypted.


    ------------------------------
    Ali Bayramov
    ------------------------------


  • 2.  RE: WinCollector - DLC - QRADAR

    Posted Sun June 21, 2020 05:05 PM
    Hi Ali,

    "Will communicate Wincollect with Disconnected Log Connector ? Are they support communicate ?"
    Yes, WinCollect can send event data to a Disconnected Log Collector.

    "On Qradar site, we don't store any logs, only correlation. But Client need store events for a 90-180 days. Which solution you can advise ?"
    This is very unusual. So you don't want any events stored in QRadar at all? This is not how QRadar is typically deployed. If it's ok for the events to be stored within the QRadar deployemnt, but they have to physically remain within the client's data center, you could deploy a QRadar Event Processor (and if needed, supplemental data nodes) within the client's environment, as long as their is connectivity between the QRadar console and that EP. This would ensure all event data from the client is stored at the client site.

    "Will we need install DataStore Node on a client site, and after the correlation , transfer all logs to datastore (which will install on client site)
    So, how i can store the event data on client site ? Will i need DataStore Node ?"

    A DataStore node is any EP (Event Processor) and any attached Data Nodes which are used with routing rules with the Log Only action. These are part of the QRadar deployment. Correlation only occurs in EPs, and the data is then either stored on the EP or in an attached Data Node. So it wouldn't really make sense to do correlation in an EP outside the client site and then manually transfer the data back to a Data Node or EP on the client site. If the data really needs to reside on the client site, I would just put EPs there.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: WinCollector - DLC - QRADAR

    Posted Mon June 22, 2020 10:02 AM
    Can DLC function as a configuration server for Wincollect as well?

    ------------------------------
    Steve Murphy
    ------------------------------



  • 4.  RE: WinCollector - DLC - QRADAR

    Posted Mon June 22, 2020 10:11 AM
    Hi Steve,

    No, not at this time. It's an idea we're considering but for now managed WinCollect agents have to be pointed at an EC, EP, or console.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: WinCollector - DLC - QRADAR

    Posted Tue June 23, 2020 10:38 AM

    Thank you for the quick response Colin!  It would be extremely useful in our environment.  Is there an RFE that we can vote on for that? 

     

    The information in this email is confidential and may be legally privileged against disclosure other than to the intended recipient. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please immediately delete this message and inform the sender of this error.






  • 6.  RE: WinCollector - DLC - QRADAR

    Posted Tue June 23, 2020 11:38 AM
    Hey Steve,

    I just ran a search of the internal DB backing the RFEs and I couldn't find one, but I've definitely heard it brought up verbally at least from other customers. I'd definitely recommend creating one and requesting that it be made public, I suspect it'll get some upvotes.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 7.  RE: WinCollector - DLC - QRADAR

    Posted Fri September 22, 2023 11:57 AM

    Hi,

    For wincollect agents to send event data to disconnected log collector, what protocol configuration to be added in logsources.json file or by default will the disconnected log collector allow the event data from wincollect agents as while installation of wincollect we give destination (disconnected log collector IP and port 514 )which is configured in Qradar console



    ------------------------------
    Venkatesh varansi
    ------------------------------



  • 8.  RE: WinCollector - DLC - QRADAR

    Posted Mon September 25, 2023 10:51 AM

    If you're sending plaintext syslog over either UDP or TCP, you don't need to configure anything on the DLC side, it will automatically listen for plaintext syslog. However if you want to send TLS syslog you'd need to configure a TLS listener for the DLC, either by editing the json file directly, or by configuring it in QRadar, exporting the config, and importing it on the DLC.

    Cheers

    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------