IBM QRadar

Hello,

we are collecting logs from an Apache webserver running on a Windows device, since syslog is not available, we are sending them to QRadar by WinCollect File Forwarder protocol.

Events show in event log window as unknown; we mapped most of them to QID in the DSM editor but they are still showing as unknown.

Is there anything we can do to solve? Has someone encountered the same issue?

B Regards

Davide

Hi Davide,

If you are collecting logs using WinCollect File Forwarder protocol, then you are better off writing your own custom DSM using DSM editor.

Check this out:

https://www.ibm.com/support/pages/creating-custom-dsm

Have you already followed the above steps and still facing problem?

Hi,

thanks for your support.

I have made a mistake in Log Source Extension Configuration..we had duplicated LSX so in some way it was crating a conflict when associating LSX to the log source.

We have removed the duplicated LSX and wrote a new DSM in DSM editor, now everything is working as expected.

B Regards

Davide

Hello,

What are the required prerequisites to integrate the log file with QRadar using the WinCollect File Forwarder protocol as the server that has the log file already installed on it Managed WinCollect and receiving OS logs from it on QRadar?

Regards,

Omar