Hi,

we have Windows security event logs from multiple servers  forwarded through the domain policy to Wincollect collector server and then to Qradar.

I did notice that one server is sending logs with two different Logsource identifiers. One is in fqdn format FS-CI-PP-01.eagle.birds.com and the second is just FS-CI-PP-01.

From the FS-CI-PP-01.eagle.birds.com we are getting logs types Applications, Security, System which is how it should be.

From FS-CI-PP-01 we are getting just two event names from Application type logs. These events names are possibly related to RDP sessions.

This means that we have two Logsources for one server/IP in Qradar which isn't how I like it :)

Does anyone know what could be the reason of this behavior?

Regards

T

Hello Tysa,

Did you try changing the identifier to FS-CI-PP-01. So that both events will get detected by single log source.

Hi,

we have Windows security event logs from multiple servers  forwarded through the domain policy to Wincollect collector server and then to Qradar.

I did notice that one server is sending logs with two different Logsource identifiers. One is in fqdn format FS-CI-PP-01.eagle.birds.com and the second is just FS-CI-PP-01.

From the FS-CI-PP-01.eagle.birds.com we are getting logs types Applications, Security, System which is how it should be.

From FS-CI-PP-01 we are getting just two event names from Application type logs. These events names are possibly related to RDP sessions.

This means that we have two Logsources for one server/IP in Qradar which isn't how I like it :)

Does anyone know what could be the reason of this behavior?

Regards

T