Overview

When you install the WinCollect Agent you can configure the Agent to collect windows event logs. This can be configured using the gui install or using the cmd line installation option.  As part of this configuration you need to tell the Agent where to send the events it has collected.  The process is different to Managed and Stand-Alone WinCollect.

Managed WinCollect

If you want to configure a QRadar “Log Source” as part of the Managed WinCollect Agent installation, the most important pre-requisite is to create a Destination in QRadar.  Without a pre-configured destination, the Agent will register but an associated log source will not be created.

QRadar Procedure
1. Click the Admin tab.
2. On the navigation menu, click Data Sources.
3. Click the WinCollect icon.
4. Click Destinations and then click Add.
5. Configure the parameters. (see WinCollect user guide).

The most important parameter to keep track of when you install is the Name

This is the value that you will use for “Component1.Destination.Name” or Target Destination in UI Installer.

If you were to use cmd line the destination name would be set to “EP”, for example

c:\wincollect-7.2.9-72.x64.exe /s /v"/qn AUTHTOKEN=304f1ec9-f9fd-465c-b1e2-5be0a487f431 STATUSSERVER=172.18.X.X HEARTBEAT_INTERVAL=123456 LOG_MONITOR_SOCKET_TYPE=TCP FULLCONSOLEADDRESS=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Destination.Name=EP&Component1.Log.Security=true&Component1.EventLogPollProtocol=MSEVEN6&Component1.Log.System=true&Component1.CoalesceEvents=true&Component1.StoreEventPayload=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+Event+Rate+Server"""


Stand-Alone WinCollect

For Stand Alone installs the Agent is no longer dependent on QRadar, therefore you DO NOT need to create a destination in QRadar. The Component1.Destination.Name can be named anything you want, but you will need to add in the Destination Hostname (Component1.Dest.Hostname=172.18.X.X), the Port to use (Component1.Dest.Port=514), and the transmission protocol (Component1.Dest.Protocol=TCP)

In the following example the events are sent to 172.18.X.X using port 514 over TCP

c:\wincollect-7.2.9-72.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server"""