MSRPC parameters on Windows hosts

To enable communication between your Windows host and IBM® QRadar® over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft Remote Procedure Calls (MSRPC) protocol.

You must be a member of the administrators group to enable communication over MSRPC between your Windows host and the QRadar appliance.

Based on performance tests on an IBM QRadar QRadar Event Processor 1628 appliance with 128 GB of RAM and 40 cores (Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80 GHz), a rate of 8500 events per second (eps) was achieved successfully, while simultaneously receiving and processing logs from other non-Windows systems. The log source limit is 500.

Specification	Value
Manufacturer	Microsoft
Protocol type	The operating system dependant type of the remote procedure protocol for collection of events. Select one of the following options from the Protocol Type list: MS-EVEN6 The default protocol type for new log sources. The protocol type that is used by QRadar to communicate with Windows Vista and Windows Server 2008 and later. MS-EVEN (for Windows XP/2003) The protocol type that is used by QRadar to communicate with Windows XP and Windows Server 2003. Windows XP and Windows Server 2003 are not supported by Microsoft. The use of this option might not be successful. auto-detect (for legacy configurations) Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type. Upgrade to the MS_EVEN6 or the MS-EVEN (for Windows XP/2003) protocol type.
Supported versions	Windows Server 2022 (including Core) WinCollect v10.1.2 and above Windows Server 2019 (including Core) Windows Server 2016 (including Core) Windows Server 2012 (including Core) Windows 11 WinCollect v10.1.2 and above Windows 10
Intended application	Agentless event collection for Windows operating systems that can support 100 EPS per log source.
Maximum number of supported log sources	500 MSRPC protocol log sources for each managed host (16xx or 18xx appliance)
Maximum overall EPS rate of MSRPC	8500 EPS for each managed host
Special features	Supports encrypted events by default.
Required permissions	The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured. Windows XP and 2003 operating system users require read access to the following registry keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion
Supported event types	Application System Security DNS Server File Replication Directory Service logs
Windows service requirements	For Windows Server 2008 and Windows Vista, use the following services: Remote Procedure Call (RPC) RPC Endpoint Mapper For Windows 2003, use the Remote Registry and Server.
Windows port requirements	Ensure that external firewalls between the Windows host and the QRadar appliance are configured to allow incoming and outgoing TCP connections on the following ports: For Windows Server 2008 and Windows Vista, use the following ports: TCP port 135 TCP port that is dynamically allocated for RPC, above 49152 For Windows 2003, use the following ports: TCP port 445 TCP port 139
Automatically discovered?	No
Includes identity?	Yes
Includes custom properties?	A security content pack with Windows custom event properties is available on IBM Fix Central.
Required RPM files	PROTOCOL-WindowsEventRPC-`QRadar_release-Build_number`.noarch.rpm DSM-MicrosoftWindows-`QRadar_release-Build_number`.noarch.rpm DSM-DSMCommon-`QRadar_release-Build_number`.noarch.rpm
More information	Microsoft support (http://support.microsoft.com/)
Troubleshooting tool available	MSRPC test tool is part of the MSRPC protocol RPM. After installation of the MSRPC protocol RPM, the MSRPC test tool can be found in /opt/qradar/jars