Communication between WinCollect agents and QRadar
Open ports are required for data communication between WinCollect agents and the QRadar® host, and between WinCollect agents and the hosts that they remotely poll.
WinCollect agent communication to QRadar Console and Event Collectors
All WinCollect agents communicate with the QRadar Console and Event Collectors to forward events to QRadar and request updated information. Managed WinCollect agents also request and receive updated code and configuration changes. You must ensure firewalls that are between the QRadar Event Collectors and your WinCollect agents allow traffic on the following ports:
- Port 8413
- This port is used for managing the WinCollect agents to request and receive code and configuration updates. Traffic is always initiated from
the WinCollect agent, and is sent over TCP.
Communication is encrypted by using the QRadar
Console's public key and the
ConfigurationServer.PEM file on the agent.
Create a bidirectional rule to allow communication from the WinCollect agent to QRadar on port 8413. If the rule is not bidirectional, traffic is blocked. QRadar does not send updates to the WinCollect agent on port 8413.
- Port 514
- This port is used by the WinCollect agent to forward syslog events to QRadar. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol to use for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent.
WinCollect agents remotely polling Windows event sources
WinCollect agents that remotely poll other Windows operating systems require extra ports to be open. These ports need to be open on the WinCollect agent computer and the computer(s) that are remotely polled, but not on your QRadar appliances. The following table describes the ports that are used.
| Port | Protocol | Usage |
|---|---|---|
| 135 | TCP | Microsoft Endpoint Mapper |
| 137 | UDP | NetBIOS name service |
| 138 | UDP | NetBIOS datagram service |
| 139 | TCP | NetBIOS session service |
| 445 | TCP | Microsoft Directory Services for file transfers that use Windows share |
| 49152 – 65535 Note: Exchange servers are configured for a port range of 6005 – 58321 by
default.
|
TCP | Default dynamic port range for TCP/IP |
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535, but might be different dependent on the server type. For example, Exchange servers are configured for a port range of 6005 – 58321 by default.
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)