IBM Security QRadar

Expand all | Collapse all

WinCollect Agent Issue

  • 1.  WinCollect Agent Issue

    Posted Fri September 25, 2020 06:32 AM
    WinCollect agent is not working on swift application due to which we are not able to see the application logs. The application is very critical application in our production environment.  

    WinCollect agent not responding on heartbeats neither the log source is in active status. status of the log source is N/A. there is no logs are available in log activity tab against WinCollect log source.

    Same configuration was done at this agent which is similar to other active and running agents which are sending logs to QRadar successfully.

    From the windows machine to QRadar, we have open ports 514 and 8413. also able to established connection on port 8413 successfully from the windows machine .

    ------------------------------
    Ather Mobeen
    ------------------------------


  • 2.  RE: WinCollect Agent Issue

    Posted Mon September 28, 2020 03:14 AM
    Hi Ather,

    Does this ports also open?

    Table 1. Port usage for WinCollect remote polling
    Port Protocol Usage
    135 TCP Microsoft Endpoint Mapper
    137 UDP NetBIOS name service
    138 UDP NetBIOS datagram service
    139 TCP NetBIOS session service
    445 TCP Microsoft Directory Services for file transfers that use Windows share
    49152 – 65535
    NoteExchange servers are configured for a port range of 6005 – 58321 by default.
    TCP Default dynamic port range for TCP/IP

    The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535, but might be different dependent on the server type. For example, Exchange servers are configured for a port range of 6005 – 58321 by default.

    To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows server that is being polled:
    • Remote Event Log Management (RPC)
    • Remote Event Log Management (RPC-EPMAP)


    ------------------------------
    Halil BALIM
    ------------------------------



  • 3.  RE: WinCollect Agent Issue

    Posted Tue September 29, 2020 02:51 AM
    Hi All,

    Currently we are not receiving any host logs from the system on which swift is installed using wincollect and the same wincollect agent is sending logs from other machines.

    WinCollect agent not responding on heartbeats neither the log source is in active status. status of the log source is N/A. there is no logs are available in log activity tab against WinCollect log source.

    ------------------------------
    Ather Mobeen
    ------------------------------



  • 4.  RE: WinCollect Agent Issue

    Posted Mon September 28, 2020 03:56 AM

    You configure the swift application to save events in Windows log to the application branch. I recommend in the format of cef, it was easier for me to parse and in their documentation on cef is not badly painted. The Wincollect agent takes all the information from the Windows log and sends it on the Qradar. Check for application events in the Windows log. If there are events, then check the work of the Wincollect, the process of logging and sending events are not related. The reasons for not sending events to the Wincollect can be different 1. Lack of network access. 2. After updating the operating system, you need to reload the Wincollect service, it hangs and others ....To understand what the problem is, you need to read the events from the agent and Qradar.

    ------------------------------
    Mykhailo Matsiuk
    ------------------------------



  • 5.  RE: WinCollect Agent Issue

    Posted Wed September 30, 2020 10:29 AM
    Make sure the user in the log source set up can do remote event viewing on the target machine. You can test this by logging on the WinCollect machine, starting event viewer, and viewing events on  a remote machine with an arbitrary user name. Use the name you put in the log source (and of course a working password). If you can see the events on the remote machine, then check the WinCollect logs on the WIncollect agent. 

    Make sure the user ID you use to collect the logs (the user you put in the log source set up) is a member of the local event viewers group on the target machine. 

    Those are the most frequent issues for me. Hope it helps.

    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------