IBM QRadar

Require some insights regarding the TLS certificate configuration on wincollect 10 stand alone configuration console.

The TLS certificate to be inserted into the configuration console is the same syslog.tls.cert available on the Event collector?

When doing so, it does not accept the certificate and shows connection lost in the logs of the wincollect 10 config console.

Kindly guide if any information.

------------------------------
Hamza
------------------------------

You can use the default certificate as described here in the documentation: https://www.ibm.com/docs/en/qradar-on-cloud?topic=console-sending-encrypted-events-qradar. You did not mention your WinCollect version, but if you are not, you should be on 10.1.6-3 as there was a cert path fix in that WinCollect update.

If not on WinCollect 10.1.6, download it here: https://ibm.biz/getwincollect10 

What to confirm

1. You've got the tls-syslog.cert from the correct Event Collector.
2. In QRadar: You must create the log source first to open port 6514. 
1. If you are using the default cert from your EC the Server Certificate Type field must be Generated Certificate in the log source.
2. Make sure you've done a deploy as this is required to open port 6514, if not already open. 
3. In WinCollect 10: Setup your destination
1. Select Use provided TLS certificate.
2. Open your tls-syslog.key in any text editor and paste the full text into the TLS certificate field. 
3. Disable the 'Hostname validation check box'. 
4. A .PEM file is created in the /config directory. Note: If you updated the TLS certificate or IP address for your destination, you must deploy for WinCollect 10 to create a new PEM file in the Program Files\IBM\WinCollect\config directory.
   
   Results
   You should be able to add a filter in the Log Activity tab and confirm that the events are received. 
   

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon July 24, 2023 04:03 AM
From: Hamza
Subject: TLS certificate on wincollect configuration

Require some insights regarding the TLS certificate configuration on wincollect 10 stand alone configuration console.

The TLS certificate to be inserted into the configuration console is the same syslog.tls.cert available on the Event collector?

When doing so, it does not accept the certificate and shows connection lost in the logs of the wincollect 10 config console.

Kindly guide if any information.

------------------------------
Hamza
------------------------------

Hi Jonathan,

First of all, thank you for the response. It means a lot that you chose to respond.

QRadar is deployed onsite on a VM. The wincollect version is 10.1.2.20. I was looking for known issues if there was an issue on this version of Wincollect.

Kindly confirm the procedure that I am about to enter.

Qradar Side:
1- Collect the TLS.SYSLOG.cert from the EC.

2- Create a log source with 6514 port open in bi-directional communication. The certificate field should be Generated certificate as we are inputting the syslog.tls.cert from EC.

3- Deploy changes

Wincollect side:
1- In destination, create a TLS entry and add the TLS certificate. BUT kindly confirm if syslog.tls.cert is to be added or as you mentioned syslog.tls.key as it is in the text editor? Disable Hostname validation and save.

2- Deploy the changes

3- Confirm if .Pem file is created in the \Wincollect\config directory.

Check events at Qradar.

Also kindly confirm after saving the changes on Wincollect config console. Should there show any success event of TLS certificate or it will be Connection lost until a log source is created?

I can share the screenshot if required.

Best regards,

P.S: Would it be fine to email you sometime for any queries as I see that you have mentioned your email?

------------------------------
Hamza

Original Message:
Sent: Tue July 25, 2023 01:18 PM
From: Jonathan Pechta
Subject: TLS certificate on wincollect configuration

You can use the default certificate as described here in the documentation: https://www.ibm.com/docs/en/qradar-on-cloud?topic=console-sending-encrypted-events-qradar. You did not mention your WinCollect version, but if you are not, you should be on 10.1.6-3 as there was a cert path fix in that WinCollect update.

If not on WinCollect 10.1.6, download it here: https://ibm.biz/getwincollect10 

What to confirm

1. You've got the tls-syslog.cert from the correct Event Collector.
2. In QRadar: You must create the log source first to open port 6514. 
1. If you are using the default cert from your EC the Server Certificate Type field must be Generated Certificate in the log source.
2. Make sure you've done a deploy as this is required to open port 6514, if not already open. 
3. In WinCollect 10: Setup your destination
1. Select Use provided TLS certificate.
2. Open your tls-syslog.key in any text editor and paste the full text into the TLS certificate field. 
3. Disable the 'Hostname validation check box'. 
4. A .PEM file is created in the /config directory. Note: If you updated the TLS certificate or IP address for your destination, you must deploy for WinCollect 10 to create a new PEM file in the Program Files\IBM\WinCollect\config directory.
   
   Results
   You should be able to add a filter in the Log Activity tab and confirm that the events are received. 
   

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon July 24, 2023 04:03 AM
From: Hamza
Subject: TLS certificate on wincollect configuration

Require some insights regarding the TLS certificate configuration on wincollect 10 stand alone configuration console.

The TLS certificate to be inserted into the configuration console is the same syslog.tls.cert available on the Event collector?

When doing so, it does not accept the certificate and shows connection lost in the logs of the wincollect 10 config console.

Kindly guide if any information.

------------------------------
Hamza
------------------------------

I created my log source first, then did a deploy. Then I setup WinCollect and did not receive any connection errors. After I restarted WinCollect using the contents of syslog.tls.cert in my destination, I received events after the service restart. 

The default self-signed cert that is packaged with QRadar is syslog.tls.cert. I had a typo and missed cleaning up the filename in my steps. You can open the syslog.tls.cert file in a text editor and add it as a destination on your WinCollect agent. I walked through these steps and set up a TLS log source on  a new VM install and I was able to receive TLS 1.2 events from my laptop, which points to an EC in our support lab. Be aware, as the default syslog.tls.cert file is self-signed, when you click TEST, it will give you a warning. This is expected as the default cert is self-signed.

For example, I expect this error when I test the log source as the syslog.tls.cert file is self-signed I used in the log source. I blurred by hostnames, but am receiving events from WC 10.1.6 --> EC VM in our lab. 

If you are having issues with you log source, you can always open a case. We have a team of support representatives who can confirm your configuration. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Thu July 27, 2023 01:55 AM
From: Hamza
Subject: TLS certificate on wincollect configuration

Hi Jonathan,

First of all, thank you for the response. It means a lot that you chose to respond.

QRadar is deployed onsite on a VM. The wincollect version is 10.1.2.20. I was looking for known issues if there was an issue on this version of Wincollect.

Kindly confirm the procedure that I am about to enter.

Qradar Side:
1- Collect the TLS.SYSLOG.cert from the EC.

2- Create a log source with 6514 port open in bi-directional communication. The certificate field should be Generated certificate as we are inputting the syslog.tls.cert from EC.

3- Deploy changes

Wincollect side:
1- In destination, create a TLS entry and add the TLS certificate. BUT kindly confirm if syslog.tls.cert is to be added or as you mentioned syslog.tls.key as it is in the text editor? Disable Hostname validation and save.

2- Deploy the changes

3- Confirm if .Pem file is created in the \Wincollect\config directory.

Check events at Qradar.

Also kindly confirm after saving the changes on Wincollect config console. Should there show any success event of TLS certificate or it will be Connection lost until a log source is created?

I can share the screenshot if required.

Best regards,

P.S: Would it be fine to email you sometime for any queries as I see that you have mentioned your email?

------------------------------
Hamza

Original Message:
Sent: Tue July 25, 2023 01:18 PM
From: Jonathan Pechta
Subject: TLS certificate on wincollect configuration

You can use the default certificate as described here in the documentation: https://www.ibm.com/docs/en/qradar-on-cloud?topic=console-sending-encrypted-events-qradar. You did not mention your WinCollect version, but if you are not, you should be on 10.1.6-3 as there was a cert path fix in that WinCollect update.

If not on WinCollect 10.1.6, download it here: https://ibm.biz/getwincollect10 

What to confirm

1. You've got the tls-syslog.cert from the correct Event Collector.
2. In QRadar: You must create the log source first to open port 6514. 
1. If you are using the default cert from your EC the Server Certificate Type field must be Generated Certificate in the log source.
2. Make sure you've done a deploy as this is required to open port 6514, if not already open. 
3. In WinCollect 10: Setup your destination
1. Select Use provided TLS certificate.
2. Open your tls-syslog.key in any text editor and paste the full text into the TLS certificate field. 
3. Disable the 'Hostname validation check box'. 
4. A .PEM file is created in the /config directory. Note: If you updated the TLS certificate or IP address for your destination, you must deploy for WinCollect 10 to create a new PEM file in the Program Files\IBM\WinCollect\config directory.
   
   Results
   You should be able to add a filter in the Log Activity tab and confirm that the events are received. 
   

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon July 24, 2023 04:03 AM
From: Hamza
Subject: TLS certificate on wincollect configuration

Require some insights regarding the TLS certificate configuration on wincollect 10 stand alone configuration console.

The TLS certificate to be inserted into the configuration console is the same syslog.tls.cert available on the Event collector?

When doing so, it does not accept the certificate and shows connection lost in the logs of the wincollect 10 config console.

Kindly guide if any information.

------------------------------
Hamza
------------------------------