IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  DLC configuration

    Posted 13 days ago

    Hi QRadar experts,

    I'm testing IBM QRadar's Disconnected Log Collector and want to understand how it works in practice, especially with Windows logs via WinCollect (and whether there are alternatives to WinCollect).

    Questions

    1. For new Windows log sources that will send events to DLC, do I need to configure each source on the DLC side, or will DLC reject events that aren't defined in its config?

    2. In the WindowsEventLog template's README I see username and password parameters. Which account should be used here? If WinCollect only forwards logs to DLC from local host, why are credentials required?

    3. I don't see an XPath parameter in the DLC Windows template. Does that mean DLC can only handle default Windows channels (Security/System/Application) and not Sysmon/PowerShell/WMI etc.?


    Thanks



    ------------------------------
    Vydenis Kucinskas
    ------------------------------


  • 2.  RE: DLC configuration

    Posted 12 days ago

     The main question is whether you really need a DLC. 

    QRadar has 3 collectors - EventCollector (EC), Disconnected Log Collector (DLC) and WinCollect. They have a lot in common and some differences. WinCollect is a collector agent, specifically for collecting Windows events. DLC is a lightweight general collector. EC is the most feature rich collector, which is also managed and has parsing and normalization built in.

    While it is possible to send events from WinCollect to DLC to QRadar, there has to be a good reason to introduce this path and complexity. What are you trying to achieve? 



    ------------------------------
    Perf1
    ------------------------------

    Original Message


  • 3.  RE: DLC configuration

    Posted 8 days ago

    Hi,

    I'm testing DLC log collection in the DMZ. To better understand the setup, our goal is to collect logs from endpoints (laptops) regardless of their location or VPN connection status - similar to how XDR/EDR agents send logs directly to the cloud.

    We want to implement a similar approach, where agents forward their logs to the DLC using WinCollect (or maybe other solution).

    In my opinion, the EC/EP setup is not as secure as the DLC for this purpose.

    P.S. I understand that XDR/EDR solutions would handle log collection and aggregation more effectively, but let's assume XDR/EDR is not an option in this scenario.

    BR



    ------------------------------
    Vydenis Kucinskas
    ------------------------------

    Original Message


Related Content