IBM Security QRadar

Hello all,

I have the following scenario. I have systems that forward the Windows AppLocker Log to an Win Event Collector and there it is collected by WinCollect. 

In QRadar the Logs are shown, but missing all event specific attributes like filename. Even in the payload these attributes are missing, the message attribute is always empty. Only the main event attributes like systemname, event id, event category etc. are available. In the forwarded logs on the Win Event Collector the messages are complete. How can i debug where/why the event specific information got lost? 

Thanks in advance!

Hello, 

I would ask are you sending from the Win Event Collector to QRadar via UDP or TCP?
If you are using UDP, I would suggest you try TCP.

You can increase debug on QRadar and the Wincollect Agent by following these URLs:

https://www.ibm.com/support/pages/node/6426883

https://www.ibm.com/support/pages/qradar%C2%AE-how-enable-debug-logging-wincollect

You can also use tcpdump on the QRadar Host to capture the raw events coming from Wincollect and then use the wireshark application to view these:
https://www.ibm.com/support/pages/qradar-using-tcpdump-and-wireshark-troubleshoot-and-analyze-ibm-security-qradar-siem-0

use the IP address of the Wincollect Agent and the port its sending to in the tcpdump command. 
In this way you can view what raw packets are being recieved. 

Regards

Thanks for the information! WinCollect is already sending over TCP. 

I have configured WinCollect to show Trace Messages and can see, that the logs forwarded to QRadar are already incomplete. It looks like this:

Event: AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-AppLocker/EXE and DLL PluginVersion=WC.MSEVEN6.10.1.10.11 Source=Microsoft-Windows-AppLocker Computer=sys01.dom OriginatingComputer=10.10.10.100 User=SYSTEM Domain=NT AUTHORITY EventID=8002 EventIDCode=8002 EventType=4 EventCategory=0 RecordNumber=15068 TimeGenerated=1718005919 TimeWritten=1718005919 Level=Informational Keywords=0 Task=None Opcode=Info Message=

I can see the same event in Microsoft Event Viewer and in the XML view there are 3 main categories: System, UserData and RenderingInfo. It seems that everything under UserData is missing. It seems that all other events have EventData instead of UserData, so maybe thats the problem. But this is how Microsoft creates the logs. Is there a way to solve this so that WinCollect interprets the information under UserData?