WinCollect file forwarder only supports XML in multi-line format.
Ideally, your source app should probably be writing events to the Event Viewer on the Windows host. Then you can just XPath query with WinCollect to retrieve the event. For more information on the Windows Event Log API, see: Win32 Event Log API.
Another option here would be to create a script that converts the HTML to XML or another format. There are no protocols that I'm aware of that read or convert HTML in QRadar to another format, so anything you did would be a custom script or open source tool to convert your HTML events. As HTML is structured, you should convert it to text or XML or text. Powershell has some default exporters that might help: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-xml?view=powershell-7.3
Anything you do on the conversion side of things is going to be custom. You likely want an intermediate location (folder or server) to handle this if there are application logs as you want to be able to compare the core application logs with their converted counterpart to ensure they look okay.
- Setup a method to copy logs to a new source folder. You probably want to copy the logs, not move them as you do not want to corrupt your core logs and you probably want to compare them to the sources data.
- Convert the HTML to another format (XML or single line text).
- Create a custom Log Source Type in the DSM Editor to parse a sample of the converted log.
- Configure a log source in WinCollect to forward the file to QRadar.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Tue November 22, 2022 03:29 AM
From: Deepali Pisal
Subject: Unable to get application logs in proper format on Qradar console
HI,
I have forwarded application logs (which is in html format) on Qradar console using WinCollect file forwarder protocol. From that log source events are receiving on Qradar console but payload information is not getting in correct format or might be it is splitting. I did same integration for other application logs (Which is in text format) and logs / payload information is getting in correct format.
Please suggest, the correct method to integrate application log which is in html format with Qradar. So that log will receive in proper format.
------------------------------
Deepali Pisal
------------------------------