Greetings WinCollect Users!
Today, I just wanted to highlight and hopefully bring clarity to one of our most requested enhancement features: the ability to manually configure the polling start time for Windows Events.
Everyone on the WinCollect team is well aware that the range and breadth of both our use cases and users can span from users wanting a simple service just there to forward a single log source to power-users who push the boundaries of the application beyond what we even envisioned, So it wouldn’t surprise us to know if some of our more knowledgeable users have already been using this feature since release but many will be surprised to hear that this feature actually already exists in WinCollect just by adding a XPath source. What do I mean by that? Well to begin here are some knowledge articles on Xpaths and their use in WinCollect to give you an idea of where I’m going with this:
XPaths in WinCollect 10
How to use Microsoft Event Viewer to create an XPath Query
How to Use XPath Queries with WinCollect to Suppress Specific Events
Hopefully that gives you sense of the power of XPaths which is certainly not only limited to the following specific use case that I’m going to use as an example.
A forensic investigator would like to re-send 2 day old system events to their QRadar machine
To accomplish this result the forensic investigator can create an XPath like so:
then add that source and send to a destination like you normally would and you’re done!
To confirm that it is done working, you should check to see log lines similar to the one below in the Log Viewer (the source name will depend on the name used, for our example we used the name ‘XPath’ and the DEBUG line will only be visible with DEBUG log level turned on)
DEBUG Device.Source.Local.XPath : no events
INFO Device.Source.Worker.2 Done working on Source//Local//XPath
You would then get the events expected in QRadar just like running it in the event viewer. For this particular use case, the XPath source could then be removed after all of the events are sent and received in QRadar.
Here is an example of what it would look like in the UI:
Are there any other tips and tricks or other amazing things you’ve done with XPaths in WinCollect? The team would love to hear from our users. Let us know in the comments.