IBM QRadar

 View Only
  • 1.  WinCollect did not forward all Event Data

    Posted Tue February 23, 2021 08:48 AM
    Hi,

    We would like to send the event data of the logs "Base-Filtering-Engine (BFE) Connections Operational" and "WinNat" to QRadar. The data arrives at QRadar. However, only the data that is visible in the event log under General. We do not receive the data that is visible in the event log under Details. But we need detailed data. Is this possible and how to configure it?

    Thanks very much,

    Peter

    ------------------------------
    Peter Fischer
    ------------------------------


  • 2.  RE: WinCollect did not forward all Event Data

    Posted Tue February 23, 2021 01:56 PM
    Hi Peter
    not sure what "details" you are receiving. Payload should show You everything ! From there you proceed using all windows properties you want and define what's left in DSM edit. Make sure you got windows content packages installed from App exchange.
    BR Karl

    ------------------------------
    Karl-Heinz Jaeger
    senior consultant
    pro4bizz GmbH
    Karlsruhe
    +4972190981722
    ------------------------------



  • 3.  RE: WinCollect did not forward all Event Data

    Posted Wed February 24, 2021 04:27 AM
    Hi Karl

    The problem is, we don't have all Information in payload. For example:
    On the Server in register details are more informations:
    The informations RemoteMachineAccount and RemoteUserAccount are intresting for us.
    The WinCollect does not send the relevant information. We have checked this with tcpdump.

    It's possible to config WinCollect to send the "EventData" also?

    Thank you very much,

    Peter

    ------------------------------
    Peter Fischer
    ------------------------------



  • 4.  RE: WinCollect did not forward all Event Data

    Posted Thu February 25, 2021 02:00 AM
    Hi Peter,

    What transport protocol (UDP or TCP) are you using to send the events from WinCollect to QRadar? QRadar by default truncates UDP messages at 1 KB and TCP syslog evenst at 4KB, though both can be adjusted in System Settings. And actually I believe WinCollect itself will truncate at 1kB for UDP before sending.

    If you're using UDP, I suspect the event is being truncated. Those Event Data values are generally injected into a format string and included in the "Message" field, which is always the last field in the event, but in your screenshot above the "Message" value is just "New Connection", but I would expect a much more verbose message for most Windows events. So it's probably just getting cut off.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: WinCollect did not forward all Event Data

    Posted Thu February 25, 2021 11:20 AM

    Hi Colin.

    Thank you for your message. We have controlled with tcpdump. The transport protocol is TCP. We have configured 16kb and increased this to 24kb. Unfortunately without succes.

    Cheers

    Peter



    ------------------------------
    Peter Fischer
    ------------------------------



  • 6.  RE: WinCollect did not forward all Event Data

    Posted Thu October 10, 2024 10:59 AM

    Hi @Peter Fischer,

    Have you managed to configure your WinCollect for your need (DirectAccess ?) ?

    Six years ago I faced the same issue and ended up using nxlog which transfers events in full XML and therefore contains all the useful data.

    Thomas



    ------------------------------
    Thomas LADEL
    ------------------------------



  • 7.  RE: WinCollect did not forward all Event Data

    Posted Thu March 18, 2021 09:48 AM
      |   view attached
    Hi Karl,

    I tried to download this file "730_qradar_wincollectupdate-7.2.9-96.sfs" and the "wincollect-agent.exe".
    Kindly check the attached file in this message for the error message.

    Kindly help provide an option(s) to resolve it.

    Thanks

    ------------------------------
    Ajala Oyindamola
    ------------------------------