Overview

This blog is going to show you how to setup a secondary destination in Stand Alone WinCollect.  A secondary destination can be used as a fail over site when the primary destination goes down.  If the Agent is unable to reach the primary destination after a per-determined time (fail over), the Agent will then send events to the secondary destination.  The Agent will continue to check the primary connection and switch back when it’s available.

Use Case

The customer is replacing an existing QRadar event collector over an extended time frame and would like to send events to another collector while this is occurring.

The customer would like to setup a fail over destination to provide redundancy in the deployment as well as address a possible site failure.

Pre-requisites

WinCollect 7.3.0

Fresh Install

Sample Cmd Line Install which will collect Security, Application and System Event logs configured with a secondary destination

c:\wincollect-7.3.0-24.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Secondary=172.18.X.X&Component1.Failover=1800&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.TimestampFormat=Milliseconds"""

Required Customer Modifications

STATUSSERVER=172.18.X.X
This is where the Agent status messages are going to be sent to (You don’t need this if you don’t want the status messages)
Component1.Dest.Hostname=172.18.X.X
This is the IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example, the destination is going to use TCP over port 514 (Component1.Dest.Port=514&Component1.Dest.Protocol=TCP)

Component1.Secondary=172.18.X.X
This is the IP/Hostname of the Secondary Destination to receive events if the primary destination fails

Component1.Failover=1800
The number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.  The default is 30 minutes

Update Existing install using Template

Create Template

Create a template named service_DestinationManager.xml

<Service version="7.3.0.24" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
    <InstanceData>
      <Instance name="QRadar">
        <Module order="1" service_name="StoreAndForwardStage">
          <Environment>
            <Parameter value="1000000" name="QueueHighWaterMark" />
            <Parameter value="750000" name="QueueLowWaterMark" />
            <Parameter value="10" name="DataChunkPeriod" />
            <Parameter value="500000" name="DataProcessingPeriod" />
            <Parameter value="false" name="Schedule.Invert" />
            <Parameter value="true" name="Schedule.Enable" />
          </Environment>
        </Module>
        <Module order="2" service_name="SimpleEventThrottle">
          <Environment>
            <Parameter value="5000" name="EventThrottleInEPS" />
          </Environment>
        </Module>
        <Module order="3" service_name="SyslogHeaderStage">
          <Environment />
        </Module>
        <Module order="4" service_name="TCPSendStage">
          <Environment>
            <Parameter value="172.18.X.X" name="TargetAddress" />
            <Parameter value="172.18.X.X" name="Secondary" />
            <Parameter value="1800" name="Failover" />
            <Parameter value="514" name="TargetPort" />
          </Environment>
        </Module>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>

Required Customer Modifications

<Instance name=”QRadar”>

Make sure to change the name to match the name of the Destination that is being used in your deployment.

TargetAddress=172.18.X.X
This is the IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example, the destination is going to use TCP over port 514

Secondary=172.18.X.X
This is the IP/Hostname of the Secondary Destination to receive events if the primary destination fails

Failover=1800
The number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.  The default is 30 minutes

Deploy Template

Now that you have the template file you can push this out to any agent where WinCollect 7.3.0-24 is installed in stand-alone mode.

Copy service_DestinationManager.xml to the \WinCollect\patch folder

The WinCollect Agent will check the patch folder every 3-5s and will see the template file, add the contents into the Agent-Config.xml and then restart WinCollect. You will now see an additional patch_checkpoint folder and a new Agent-Config in the \WinCollect\config folder.