IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

Wincollect: OriginatingComputer uses wrong IP

  • 1.  Wincollect: OriginatingComputer uses wrong IP

    Posted Wed December 16, 2020 12:18 PM

    WinCollect Agent 7.3.0-41 (x64)

    When collecting logs via WinCollect from computers with multiple network interfaces WinCollect obviously uses the IP of a randomly selected network interface to populate the OriginatingComputer property of the log message.

    The OriginatingComputer property is mapped to the Source and Destination IP property used within Qradar. This results in events wih wrong source and destination addresses, i.e. you cannot distinguish what network the computer was connected to while the log was created.

    Example:

    <13>Dec 16 12:27:47 <IDENTIFER> AgentDevice=WindowsLog AgentLogFile=System PluginVersion=7.3.0.41 Source=Microsoft-Windows-GroupPolicy Computer=xxx.yyy.ccc.de OriginatingComputer=192.168.2.30 User=XXX Domain=XXX EventID=1501 EventIDCode=1501 EventType=4 EventCategory=0 RecordNumber=65426 TimeGenerated=1608118065 TimeWritten=1608118065 Level=Informational Keywords=0x8000000000000000 Task=None Opcode=Start Message=Die Gruppenrichtlinieneinstellungen für den Benutzer wurden erfolgreich verarbeitet. Es wurden keine Änderungen seit der letzten erfolgreichen Gruppenrichtlinienverarbeitung erkannt.

    The IP 192.168.2.30 is only a local interface and is not the IP of the interface that is used to communicate with the corporate network.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Wincollect: OriginatingComputer uses wrong IP

    Posted Sun February 13, 2022 03:59 PM

    Use below article

    L [localIP]Use this setting to select the IP address that is displayed for all log sources on systems with multiple network interface cards (NIC).

    For example, installerhelper.exe -L 192.0.2.0

    -O [OrigComputer]Use this setting to select the IP address that is displayed for Windows events on systems with multiple NICs.

    For example, installerhelper.exe -O 198.51.100.0

    https://www.ibm.com/docs/en/qradar-on-cloud?topic=SSKMKU/com.ibm.wincollect.doc/c_ug_wincollect_change_config.html



    #QRadar
    #Support
    #SupportMigration