Microsoft Windows Security Event Log

The IBM QRadar DSM for Microsoft Windows Security Event Log accepts syslog events from Microsoft Windows systems. All events, including Sysmon and winlogbeats.json, are supported.

Important: Support for the Windows Event Log protocols ended on 31 October 2022. To continue collecting Windows Event Log events, you must select a new protocol type from the list of supported protocols. For more information about the end of support, see QRadar: End of life announcement for WMI-based Microsoft Windows Security Event Log protocols (31 Oct 2022) (https://www.ibm.com/support/pages/node/6616223).

For event collection from Microsoft operating systems, QRadar supports the following protocols:

Syslog (Intended for Snare, BalaBit, and other third-party Windows solutions).
Forwarded. For more information, see Forwarded protocol configuration options.
TLS Syslog. For more information, see TLS Syslog protocol configuration options.
TCP Multiline Syslog. For more information, see TCP Multiline Syslog protocol configuration options.
MSRPC (Microsoft Security Event Log over MSRPC). For more information, see Microsoft Security Event Log over MSRPC protocol.
WinCollect. See the IBM QRadar WinCollect User Guide.
WinCollect NetApp Data ONTAP. See the IBM QRadar WinCollect User Guide.
Amazon Web Services protocol from AWS CloudWatch. For more information, see Amazon Web Services protocol configuration options and How do I upload my Windows logs to CloudWatch? (https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-upload-windows-logs/).
Microsoft Azure Event Hubs. For more information, see Microsoft Azure Event Hubs protocol configuration options and Install and configure Windows Azure diagnostics extension (WAD) - Azure Monitor (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-windows-install).
Ensure that you have an Azure storage account and an Azure event hub.
1. Optional: Create a storage account. For more information, see Create a storage account (https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal).
  Important: You must have a storage account to connect to an event hub. For more information, see Microsoft Azure Event Hubs protocol FAQ.
2. Optional: Create an event hub. For more information, see Quickstart: Create an event hub using Azure portal (https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create).