Global Security Forum

Expand all | Collapse all

Different wincollect installations and which one to choose!!

  • 1.  Different wincollect installations and which one to choose!!

    Posted Mon May 17, 2021 12:30 PM
      |   view attached

    QRadar integration has always been a stained-glass window for many of us, be it either an experienced SIEM professional dealing with a new device integration or a SIEM professional in his/her early phase of SIEM journey.

    For one such scenario, here are my two cents to avoid such time-consuming researches and hit-and-trials for windows server integrations based on different types of QRadar setups.

    Though QRadar is flexible with environmental setups, it is also equally flexible with integration of windows devices, but that flexibility comes at a cost of confusion for many of us. Questions like which integration is best out of

    • Syslog (Intended for Snare, BalaBit, and other third-party Windows solutions).
    • TLS Syslog.
    • TCP Multiline Syslog
    • Windows Event Log (WMI)
    • Windows Event Log Custom (WMI).
    • WinCollect NetApp Data ONTAP.
    • Amazon Web Services protocol from AWS CloudWatch.
    • Microsoft Azure Event Hubs.

    Now we are only going to discuss the predominant ways of integration, in this post, which are WMI and WinCollect. And how one is better than the other.


    Summary: Table of deployment

    Nature of WinCollect Deployment



    Ideal for Enterprise


    Managed Wincollect

    ·       Easy to identify errors using wincollect events.

    ·       Easy to integrate multiple log types from same server (Applications/Forwarded events etc.).

    ·       Less resource utilization on ECs/EPs since it's based on push mechanism.

    ·       Easy upgrade of wincollect agents.

    ·       Filtering of events and using X-path queries are a treat for EPS reduction.

    Only 500 WinCollect Agents are recommended per managed host in an environment.

    Every distributed QRadar environment.

    If the managed hosts (ECs/EPs) are location specific, then while installing wincollect, using closest managed host as configuration server is best.

    Standalone WinCollect

    ·       No limitation on heartbeat management per managed host.

    ·       No authentication token is needed

    ·       Centralized upgrade is not possible.

    ·       Non logging troubleshooting may become tedious.

    Environment where count of windows server is higher than the available QRadar managed hosts can support for heartbeats.

    Should only go for this when endpoint management is strong in the environment. (SCCM/bigfix etc for agent upgrades)

    Using Intermediate Jump server for MSRPC polling

    Easy to designate and distribute servers per agent server,

    ·       Centralized credentials used for MSRPC can be compromised.

    ·       If the agent server gets disconnected logs can fill up the space of the agent server.

    ·       Ports needed for MSRPC are vulnerable in general

    Enterprise where segment level security is strong, and credentials can be vaulted for better safety.

    I do not recommend this method over managed one as it costs a lot of inconvenience for its value delivered.


    For better understanding on Managed Wincollect please check Annexure I.

    For better understanding of Standalone WinCollect and Using Intermediate Jump server for MSRPC polling please refer Click Here 

    Shashank Soni


  • 2.  RE: Different wincollect installations and which one to choose!!

    Posted Fri June 04, 2021 01:45 PM
    Interesting comparison view into QRadar integrations!

    Christine Arnold
    Customer Marketing & Community Manager
    IBM Security