IBM QRadar

We need to collect logs from our VDI Desktops which are Non-Persistent. All VDI Desktops get spun off the master image when user connects and get deleted at the time of log off.

What would be the best method to collect logs in such environment?

If we install wincollect managed agent, this may cause problems as the agent will need to be installed and uninstalled every time user connects and then logs off. And also the need of deploying changes every time the machines poweron.

Would a standalone approach be the best - polling the remote hosts? The challenge with this method is that we would never be sure how many machines will be on at a give time and would result us in polling something that is not even on the network.

Any thoughts?

With this type of scenario, I think it makes sense to use Windows Event Forwarding (WEF) built in to the Microsoft OS to forward the events over. You could remotely poll them, but it would require the log sources to be configured for that IP. It makes much more sense in my opinion to have the OS be configured with a default WEF policy that forwards events based on the configured XML file. https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

In this scenario, you could have a few decidated WinCollect agents that are setup for the Forwarded event log. This could receive events from a number of VDI Windows hosts, which all forward to the WinCollect agent. WinCollect will see these as individual log sources and create them, if required. If that IP already exists, then it will append in events to the existing log source.

I think your best bet would be to implement a GPO policy on your VDIs to have a default forwarding policy when the virtual desktop is created. This is likely something that you would have to test out, but WinCollect has a large number of users that implement WEF in large deployments and it works well. I don't know if any of these are virtual desktops, but I think WEF is the way to go.

Thanks for the response Jonathan, this really helps. I looked into the article you have attached. All the forwarded events will then forward logs to collector and appear in the "Forwarded Events" Channel on the collector.

If I use the wincollect agent on the collector, and use that agent to forward logs to QRadar. Wouldn't QRadar see all logs coming from that specific collector and treat it as a single log source? Or Qradar will be able to recognise the events in the "forwarded events" channel to be coming from different machines and then create a log source for a unique machine/ip in the forwarded events?

Thanks