Hi Peter,
What transport protocol (UDP or TCP) are you using to send the events from WinCollect to QRadar? QRadar by default truncates UDP messages at 1 KB and TCP syslog evenst at 4KB, though both can be adjusted in System Settings. And actually I believe WinCollect itself will truncate at 1kB for UDP before sending.
If you're using UDP, I suspect the event is being truncated. Those Event Data values are generally injected into a format string and included in the "Message" field, which is always the last field in the event, but in your screenshot above the "Message" value is just "New Connection", but I would expect a much more verbose message for most Windows events. So it's probably just getting cut off.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Wed February 24, 2021 04:27 AM
From: Peter Fischer
Subject: WinCollect did not forward all Event Data
Hi Karl
The problem is, we don't have all Information in payload. For example:
On the Server in register details are more informations:
The informations RemoteMachineAccount and RemoteUserAccount are intresting for us.
The WinCollect does not send the relevant information. We have checked this with tcpdump.
It's possible to config WinCollect to send the "EventData" also?
Thank you very much,
Peter
------------------------------
Peter Fischer
Original Message:
Sent: Tue February 23, 2021 01:55 PM
From: Karl-Heinz Jaeger
Subject: WinCollect did not forward all Event Data
Hi Peter
not sure what "details" you are receiving. Payload should show You everything ! From there you proceed using all windows properties you want and define what's left in DSM edit. Make sure you got windows content packages installed from App exchange.
BR Karl
------------------------------
Karl-Heinz Jaeger
senior consultant
pro4bizz GmbH
Karlsruhe
+4972190981722
Original Message:
Sent: Tue February 23, 2021 08:47 AM
From: Peter Fischer
Subject: WinCollect did not forward all Event Data
Hi,
We would like to send the event data of the logs "Base-Filtering-Engine (BFE) Connections Operational" and "WinNat" to QRadar. The data arrives at QRadar. However, only the data that is visible in the event log under General. We do not receive the data that is visible in the event log under Details. But we need detailed data. Is this possible and how to configure it?
Thanks very much,
Peter
------------------------------
Peter Fischer
------------------------------