Hi everyone. Josh here again from the WinCollect development team.
In this blog post I’m going to show you how to install a WinCollect agent using both the installer UI and command line to use TLS syslog to send events to your QRadar deployment. In this example, I’m going to use a self-signed syslog TLS certificate that is on one of my QRadar destinations I have in the lab. If you have your own CA signed or publicly signed certificate this example will still work.
To begin this process, we’re going to need to start with a machine that already has WinCollect installed. By default, a quick install of WinCollect will have a destination called “QRadar” defined. If you use the WinCollect configuration UI you can go to the Destinations section. Here we will need to change our destination to use TLS and copy in the certificate. To get the certificate, we need to go over to our QRadar destination and view the contents of the certificate. To do that we can use:
cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert
Now we need to copy the full details of the certificate including the “Begin” and “End” and bring that it to the “TLS certificate” field in the WinCollect console UI. When we click save and then apply the changes to the agent, the agent will convert the certificate over. This will also allow us to use it in a script so that we can make installation of the agents using TLS easier.
Here is an example of what the converted string will look like in your AgentConfig file:
Now that we have this information, we can then start to piece together our installation script that will be used to install our new agents.
I’ve attached an installation script that you can use to help craft your own for your QRadar deployment. Looking at the example script replace the contents under the “Certificate” field with your converted certificate for your destination. Then you will also need to change the IP address to the hostname (due to how SSL/TLS validation works this will need to match what is in the certificate) of your QRadar appliance that is being used for your WinCollect destination in both the “Address” fields in the example.
Also note, that in this example I’m just collecting Application, System and Security events. If you wanted to collect event from other channels or log files you can add them in to your script at this time as well. You can refer to our Github page where we have some of these parameters that you can add to your script.
Now that we have the file ready, we can install the agent using two methods. The first is using the agent installation wizard. Here you will select the “Advanced” install and then select the advanced installation option 1 to “Specify a configuration script file to execute immediately after the Agent is installed.” Browse to the path to where you have your script, and then click next to finish in the installation. The second option will be through the command line. Start an elevated command prompt window and then run the following command:
msiexec.exe /l*v WC_install.log /qb /i WinCollect-10.1.0-39.x64.msi INSTALLDIR="C:\Program Files\IBM\WinCollect\" WC_SCRIPT="C:\Users\testuser\Desktop\update_AgentwithTLSSyslog.xml"
Remember to change the path to where your script file is located on your system.
After running either of these two options you now have configured your agent to use TLS syslog to send your events to your QRadar deployment.
If you liked this and would like to see some other examples, please reach out and let us know.