IBM Support

QRadar®: How to enable Debug logging for WinCollect

How To


Summary

This article shows you how to enable debug level logging for WinCollect.

Objective

This document helps you troubleshoot Wincollect issues by enabling more granular Debug logging on your QRadar managed host. Debug logging is useful for issues with:
  • Agent registration
  • Log source creation (during the installation of the agent)
  • Agent configuration
  • Log source updating
  • Agent upgrading (Managed mode)

Steps

Every Windows® device, local or remote, can be put in debug. This can be done for the entire device or for the actual channel or file on the device that you are troubleshooting. Debugging is enabled and configured by using the variables in 
C:\Program Files\IBM\WinCollect\config\logconfig.xml

If you are trying this for the first time, take a backup of the current logconfig.xml file - if something goes wrong, you can always revert to the backup. Editing this file is fairly low impact - at any time, worst-case scenario is that the WinCollect service simply won't start.

The parameters can be added to the logconfig.xml file for more specific debugging, while leaving the default parameters in the file set to INFO or InfoX.

NOTE: To find the exact values below, you put the DEVICE portion of the Wincollect.log in debug to identify what portion of your configuration is having issues.

<category name="Device" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
Debugging in WinCollect 7.2.8x and WinCollect 7.2.9x, and WinCollect 7.3x can be done in real time. That is, you do not need to stop the agent service to edit the logconfig.xml file. The agent picks up changes and implements them within seconds of saving the file once you edit the debug levels.

Contents

WinCollect 10

Enabling debug is vastly different in version 10. 
  1. Click the cogwheel on the upper right in the WinCollect Console, then turn Advanced UI On. This setting reverts to Off when you exit the Console.
    image-20220408160102-3
  2. Go back to the cogwheel, and select Log Configuration.
    image-20220408160203-4
  3. From the drop-down menu, select DEBUG and click Save underneath. This setting does not revert when exiting the Console. You have to change it back to INFOX (default) manually.
    image-20220408160323-5
  4. Go to the "hamburger" menu on the upper left, and select Log Viewer.
    image-20220408160516-6
  5. Now you can see more granular output on how the agent is processing reading and sending events.
    image-20220408160625-7

Debugging Local Device Logs

Channels or files that exist on the windows computers where WinCollect is installed are considered local. You can put an agent in debug to look at those files specifically, instead of all channels and files that exist in the agentconfig.xml. The debug snippet puts the entire localhost into debug. This means, any Channel the agent is configured to pull logs from, prints in debug mode.

<category name="Device.WindowsLog.W2K8.localhost" additivity="false">
      <priority value ="DEBUG" />
      <appender-ref ref="WinCollectLogs"/>
      <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging looks like this:
11-19 13:16:19.108 DEBUG Device.WindowsLog.W2K8.localhost.XPath : Returning 0 event payload results.
11-19 13:16:19.966 DEBUG Device.WindowsLog.W2K8.localhost.Application : No events
11-19 13:16:20.621 DEBUG Device.WindowsLog.W2K8.localhost.Security : No events
11-19 13:16:21.370 DEBUG Device.WindowsLog.W2K8.localhost.System : No events
  • Individual channel debugging: Change the logger above to the channel (example: Device.WindowsLog.W2K8.localhost.Security)
  • The log source identifier determines how the channel goes into debug (example: Device.WindowsLog.W2K8.PC20100.Security) is what you would put in debug if you wanted to debug the security channel of the computer with the hostname PC20100
You can also put the Device.WindowsLog.WindowsLogDeviceReaderPool in debug:

<category name="Device.WindowsLog.WindowsLogDeviceReaderPool" additivity="false">
      <priority value ="DEBUG" />
      <appender-ref ref="WinCollectLogs"/>
      <appender-ref ref="LogMonitor"/>
</category>
This shows you several things including:
  • The local or remote channels that are being polled and how often
  • A mapping of query ID to actual channels being polled
  • Any filters that are applied to any channels
  • Whether or not any logs have been written to disk
  • When events are received from a channel
  • When events are forwarded to a destination
  • When threads are shut down by an agent shut down
  • When the agent closes RPC sessions during an agent shut down
  • When the device code itself shuts down
The output from this type of debugging contains entries like these:
11-20 10:21:30.640 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Application on 10.10.10.10 every 3000 msecs
11-20 10:21:30.640 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log ForwardedEvents on 10.10.10.10 every 3000 msecs
11-20 10:21:30.640 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Security on 10.10.10.10 every 3000 msecs
11-20 10:21:30.640 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log System on 10.10.10.10 every 3000 msecs
11-20 10:21:30.641 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Setup filter Security: (1100,1102,4624-4625,4634,4648,4657,4672,4688-4689,4704,4706,4713-4714,4716,4719-4720,4722,4725-4726,4728,4731-4733,4735,4740,4756,4765-4767,4769,4776,4778-4779,4781-4782,4793,4870,4873-4874,4880-4882,4885-4888,4890-4892,4896-4900,5038,5136-5142,5144-5145,5376-5377,5632,6272-6281)
11-20 10:21:30.646 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Monitoring Windows Log Security on 10.10.10.11 every 8000 msecs
11-20 10:21:36.588 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Received Win2K8 9 events from query 1
11-20 10:21:53.086 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Received Win2K8 7 events from query 2
11-20 10:21:53.450 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Received Win2K8 12 events from query 5
11-20 10:21:53.884 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Received Win2K8 2 events from query 3
11-20 10:22:16.178 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Backlog check: 5 threads, 0 msgs in the Q, 20 samples, slope   0.000, disposition 0 => too many
11-20 10:21:38.132 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool.x10BC : Leaving thread
11-20 10:21:38.132 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Cancelling all of the acquisitions...
11-20 10:21:38.132 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Telling all of the threads to shutdown...
11-20 10:21:38.132 DEBUG Device.WindowsLog.WindowsLogDeviceReaderPool : Closing our outstanding RPC sessions...
11-20 10:21:38.132 INFO  Device.WindowsLog.WindowsLogDeviceReaderPool : Shut down
*Channel query numbers are mapped to the channels being queried. This is found in the InfoX output.
11-20 10:21:30.642 InfoX Device.WindowsLog.WindowsLogDeviceReaderPool : Created standard query 1: <QueryList><Query Id="1" Path="Application"><Select Path="Application">*</Select></Query></QueryList>
11-20 10:21:30.643 InfoX Device.WindowsLog.WindowsLogDeviceReaderPool : Created standard query 2: <QueryList><Query Id="2" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
11-20 10:21:30.643 InfoX Device.WindowsLog.WindowsLogDeviceReaderPool : Created standard query 3: <QueryList><Query Id="3" Path="System"><Select Path="System">*</Select></Query></QueryList>
11-20 10:21:30.658 InfoX Device.WindowsLog.WindowsLogDeviceReaderPool : Created standard query 5: <QueryList><Query Id="5" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
 

Debugging a Remote Server

<category name="Device.WindowsLog.W2K8.10.10.10.10" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>

Debugging a Remote (Server and) Channel

<category name="Device.WindowsLog.W2K8.10.10.10.10.Security" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-19 13:20:15.386 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : Received 19 events
11-19 13:20:15.401 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : Returning 19 event payload results.
 

Debugging a specific event (TRACE)

Add this line to the AgentConfig.xml file, under the line for the log you are trying to see whether we are pulling the record for, for example:
<Parameter value="true" name="Log.Security" />
<Parameter name="TraceEventID" value="4648"/>

You will see outputs like this:

11-22 07:42:15.884 DEBUG Device.WindowsLog.EventLog.STEVEN8.Security.Read : Reading records starting with rec# 2584535642 id: 4648
This will correspond to an event in the event viewer.
4648.png
 

Debugging Bookmarks

WinCollect creates bookmarks under (C:\ProgramData\WinCollect\Data\PersistenceManager) for the four default channels in Event Viewer (Application, Security, Setup, System). These bookmarks and updates to them can also be put in debug. This is useful when a user suspects that not all their events are being read (coalescing is often the actual problem).
<category name="Device.WindowsLog.EventLogState.10.10.231.2" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>

The output from this type of debugging contains entries like these:

11-19 13:02:00.231 DEBUG Device.WindowsLog.EventLogState.10.10.231.2.Security : PersistBookmark RecNo 1199640 Timestamp: 20181119.170146.082003000
11-19 13:02:07.396 DEBUG Device.WindowsLog.EventLogState.10.10.231.2.Security : PersistBookmark RecNo 1199649 Timestamp: 20181119.170152.27162500
11-19 13:02:15.388 DEBUG Device.WindowsLog.EventLogState.10.10.231.2.Security : PersistBookmark RecNo 1199650 Timestamp: 20181119.170202.600417000
When combined with channel debugging discussed above, you can count the events read and compare them to the bookmarks incremental update.
11-19 13:19:59.396 DEBUG Device.WindowsLog.EventLogState.10.10.231.2.Security : PersistBookmark RecNo 1199820 Timestamp: 20181119.171946.291160000
11-19 13:19:59.396 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : no more events
11-19 13:20:07.383 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : No events
11-19 13:20:15.386 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : Received 19 events
11-19 13:20:15.401 DEBUG Device.WindowsLog.W2K8.10.10.231.2.Security : Returning 19 event payload results.
11-19 13:20:15.401 DEBUG Device.WindowsLog.EventLogState.10.10.231.2.Security : PersistBookmark RecNo 1199839 Timestamp: 20181119.172002.887798000
Bookmark 1199820 plus 19 new events equal new bookmark 1199839.

Debugging FileForwarder Log Sources

With WinCollect's ability to pull from text files, it is important to troubleshoot how the agent is configured to pull those events if it does not seem to be working. It is also important to understand that although the log source identifier must exist, it is not used on this type of log source, as the root directory path is how the agent looks for the logs. In the examples below, the log source identifier is "fishes."
<category name="Device.FileForwarder" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>

The output from this type of debugging contains entries like these:
11-20 08:17:22.401 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Detected a <modification> directory change!!!! C:\logtesting\
11-20 08:17:22.402 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Ignoring file C:\logtesting\u_ex160929_x - Copy (2).log because it was not created today.
11-20 08:17:22.402 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Ignoring file C:\logtesting\u_ex160929_x - Copy (3) - Copy.log because it was not created today.
11-20 08:17:22.403 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Ignoring file C:\logtesting\u_ex160929_x - Copy (3).log because it was not created today.
11-20 08:17:22.403 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Ignoring file C:\logtesting\u_ex160929_x - Copy.log because it was not created today.
11-20 10:24:08.091 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Processed 1 event records.
11-20 10:25:34.187 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Processed 8 event records.
11-20 10:26:49.878 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Processed 4 event records.
This type of debugging can also show you what setup is on the log source, file drop, or continuous monitoring
11-21 08:17:24.421 INFO  Device.FileForwarder.FileForwarderDeviceReader.fishes : Timing info (file drop): Processed 5 records in 0 msec.

InfoX output can give you more information about the file being read:
11-20 10:24:08.091 InfoX Device.FileForwarder.FileForwarderDeviceReader.fishes : Timing info (continuous monitor): Processed 1 records in 0 msec.
11-20 10:25:34.187 InfoX Device.FileForwarder.FileForwarderDeviceReader.fishes : Detected a <mod bigger> file change!!!! C:\logtesting\u_ex161006_x - Copy (3).log
11-20 10:25:34.187 InfoX Device.FileForwarder.FileForwarderDeviceReader.fishes : Timing info (continuous monitor): Processed 8 records in 0 msec.

To see the actual delivery of events, you can also put certain parts of the agent's Code into debug.
  
<category name="Code.StoreAndForwardIncoming" additivity="false">
       <priority value ="DEBUG" />
       <appender-ref ref="WinCollectLogs"/>
       <appender-ref ref="LogMonitor"/>
</category>

<category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>

Debugging a Specific FileForwarder Log Source

  
<category name="Device.FileForwarder.FileForwarderDeviceReader.fishes" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>
When you combine the DEBUG and InfoX output, you can see the complete conversation as the file is read and processed; this example is where events are appended, and file drop is used.
11-22 09:52:15.928 DEBUG Code.FileMonitorNoFSRedirect.x2EC430.thread.x10C0 : Check Action on C:\logtesting using hCreds 1523327380153906441
11-22 09:52:15.928 DEBUG Code.FileMonitorNoFSRedirect.x2EC430 : Directory changed 32770 - C:\logtesting
11-22 09:52:15.928 DEBUG Device.FileMonitorDevicePool.FileForwarder.x04F4 : RunControl code 4
11-22 09:52:15.928 DEBUG Device.FileMonitorDevicePool.FileForwarder.x04F4 : nChangeType: 32770 on file# 7818432379064774126
11-22 09:52:15.928 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Detected a <modification> directory change!!!! C:\logtesting\
11-22 09:52:15.928 InfoX Device.FileForwarder.FileForwarderDeviceReader.fishes : About to scan dir C:\logtesting\...
11-22 09:52:15.928 InfoX Device.FileForwarder.FileForwarderDeviceReader.fishes : File C:\logtesting\u_EX160302.13.txt ok to monitor.
11-22 09:52:15.928 INFO  Device.FileForwarder.FileForwarderDeviceReader.fishes : Checking to see if we should process file drop on C:\logtesting\u_EX160302.13.txt...
11-22 09:52:15.928 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Checking to see if we should process file drop on C:\logtesting\u_EX160302.13.txt (1542894735 vs 1542894710)...
11-22 09:52:15.928 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Check to see if we should process file drop on C:\logtesting\u_EX160302.13.txt returned true.
11-22 09:52:15.928 INFO  Device.FileForwarder.FileForwarderDeviceReader.fishes : Processing file drop on C:\logtesting\u_EX160302.13.txt.
11-22 09:52:16.942 DEBUG Device.FileForwarder.FileForwarderDeviceReader.fishes : Processed 16 event records.
11-22 09:52:16.942 INFO  Device.FileForwarder.FileForwarderDeviceReader.fishes : Timing info (file drop): Processed 16 records in 0 msec.
11-22 09:52:23.120 DEBUG Code.StoreAndForwardIncoming._eventcollector103____vm233215____TCP : Processing accepted for new message block (16 records)
 

Debugging SQL Server

  
<category name="Device.MSSQL" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>

The output from this type of debugging contains entries like these:
11-20 13:26:35.677 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Added a file to monitor: \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG
11-20 13:26:35.677 INFO  Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Opened file \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG.
11-20 13:29:43.361 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Processed 4 event records.
11-20 13:29:43.361 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Timing info (continuous monitor): Processed 4 records in 0 msec
11-20 13:29:35.677 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Added a file to monitor: \\10.10.228.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG
11-20 13:28:35.678 INFO  Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Opened file \\10.10.228.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG.
11-20 13:29:36.361 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Processed 6 event records.
11-20 13:29:36.361 DEBUG Device.MSSQL.MSSQLDevIceReader.sqlsrv2016 : Timing info (continuous monitor): Processed 6 records in 0 msec

Debugging a Specific SQL Server

<category name="Device.MSSQL.MSSQLDeviceReader.sqlsrv2016" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-20 13:26:35.677 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Added a file to monitor: \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG
11-20 13:26:35.677 INFO  Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Opened file \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG.
11-20 13:29:43.361 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Processed 4 event records.
11-20 13:29:43.361 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Timing info (continuous monitor): Processed 4 records in 0 msec
You can also put the file monitor agent code in debug for SQL
<category name="Device.FileMonitorDevicePool.MSSQL" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these which show the agent detecting that new entries exist in a file:   
11-20 13:29:43.361 DEBUG Device.FileMonitorDevicePool.MSSQL.x0FB4 : RunControl code 4
11-20 13:29:43.361 DEBUG Device.FileMonitorDevicePool.MSSQL.x0FB4 : nChangeType: 10 on file# 10895110627390525665

If you really want to get into the full conversation on these types of events, you can put these two parts of the Agent's Code code in debug as well.
<category name="Code.StoreAndForwardIncoming" additivity="false">
       <priority value ="DEBUG" />
       <appender-ref ref="WinCollectLogs"/>
       <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
This will allow you to see a full process of new entries being pulled:   
11-21 10:56:50.691 DEBUG Code.FileMonitorNoFSRedirect.x32C530.thread.x1378 : Check Action on \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG using hCreds 1523327380153906441
11-21 10:56:50.691 DEBUG Code.FileMonitorNoFSRedirect.x32C530 : File changed 10 - \\10.10.224.13\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG
11-21 10:56:50.691 DEBUG Device.FileMonitorDevicePool.MSSQL.x0DDC : RunControl code 4
11-21 10:56:50.691 DEBUG Device.FileMonitorDevicePool.MSSQL.x0DDC : nChangeType: 10 on file# 10895110627390525665
11-21 10:56:50.691 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Processed 2 event records.
11-21 10:56:50.691 DEBUG Device.MSSQL.MSSQLDeviceReader.sqlsrv2016 : Timing info (continuous monitor): Processed 2 records in 0 msec.
11-21 10:56:57.898 DEBUG Code.StoreAndForwardIncoming._eventcollector0____vm233214____UDP : Processing accepted for new message block (2 records)

Debugging IIS Server

<category name="Device.MSIIS" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these which show the agent detecting that new entries exist in a file:  
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : Monitoring log type: FTP
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : Monitoring log type: NNTP
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : Monitoring log type: SMTP
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : Monitoring log type: W3C
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : FileReaderPolicy not specified -- defaulting to UnicodeLogFile
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : FileParserPolicy not specified -- defaulting to LineByLineParser
11-21 12:28:39.605 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : FileMonitorPolicy not specified -- defaulting to FileMonitorNoFSRedirect
11-21 12:28:39.620 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : SetupMonitors on : \\10.10.224.7\inetpub\logs\LogFiles\
11-21 12:28:39.636 INFO  Device.MSIIS.DeviceReader.10.10.224.7 : Added a directory to monitor: \\10.10.224.7\inetpub\logs\LogFiles\
11-21 12:28:39.636 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : SetupMonitors on : \\10.10.224.7\inetpub\logs\LogFiles\FTPSVC2\
11-21 12:28:39.636 INFO  Device.MSIIS.DeviceReader.10.10.224.7 : Added a directory to monitor: \\10.10.224.7\inetpub\logs\LogFiles\FTPSVC2\
11-21 12:28:39.636 DEBUG Device.MSIIS.DeviceReader.10.10.224.7 : Ignoring too old file: \\10.10.224.7\inetpub\logs\LogFiles\FTPSVC2\u_ex171103.log
11-21 12:34:20.155 DEBUG Device.MSIIS.PayloadSink : Retrieving fields for file \\10.10.224.7\inetpub\logs\LogFiles\W3SVC13\u_ex18112112.log'   category ex format W3C protocol W3C
InfoX information shows the events being parsed by the agent code.
11-21 12:34:20.155 InfoX Device.MSIIS.DeviceReader.10.10.224.7 : GatherFromFile W3SVC13\u_ex18112112.log  5 records parsed, 0 records skipped, in 0 msecs
Adding FileMonitor for IIS
<category name="Device.FileMonitorDevicePool.MSIIS" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-21 12:34:20.155 DEBUG Device.FileMonitorDevicePool.MSIIS.x0F94 : RunControl code 4
11-21 12:34:20.155 DEBUG Device.FileMonitorDevicePool.MSIIS.x0F94 : nChangeType: 0 on file# 3705316814282036370
 

Debug a Specific IIS Server

  
<category name="Device.MSIIS.DeviceReader.10.10.224.7" additivity="false">
    <priority value ="DEBUG" />
    <appender-ref ref="WinCollectLogs"/>
    <appender-ref ref="LogMonitor"/>
</category>

With the added debugging for the code log (same as above), you can see the full conversation.
11-21 12:34:20.155 DEBUG Code.FileMonitorNoFSRedirect.xC20510.thread.x1250 : Check Action on \\10.10.224.7\inetpub\logs\LogFiles\W3SVC13\u_ex18112112.log using hCreds 1523327380153906441
11-21 12:34:20.155 DEBUG Code.FileMonitorNoFSRedirect.xC20510 : File changed 0 - \\10.10.224.7\inetpub\logs\LogFiles\W3SVC13\u_ex18112112.log
11-21 12:34:20.155 DEBUG Device.FileMonitorDevicePool.MSIIS.x0F94 : RunControl code 4
11-21 12:34:20.155 DEBUG Device.FileMonitorDevicePool.MSIIS.x0F94 : nChangeType: 0 on file# 3705316814282036370
11-21 12:34:20.155 DEBUG Device.MSIIS.PayloadSink : Retrieving fields for file \\10.10.224.7\inetpub\logs\LogFiles\W3SVC13\u_ex18112112.log'   category ex format W3C protocol W3C
11-21 12:34:20.155 InfoX Device.MSIIS.DeviceReader.10.10.224.7 : GatherFromFile W3SVC13\u_ex18112112.log  5 records parsed, 0 records skipped, in 0 msecs
11-21 12:34:20.898 DEBUG Code.StoreAndForwardIncoming._eventcollector0____vm233214____UDP : Processing accepted for new message block (5 records)

Debugging DHCP Server

<category name="Device.WindowsDHCP" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-20 14:39:21.680 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Processed 10 event records.
11-20 14:39:21.680 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Timing info (continuous monitor): Processed 10 records in 0 msec.

Adding FileMonitor for DHCP
<category name="Device.FileMonitorDevicePool.WindowsDHCP" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-20 14:39:21.680 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x0490 : RunControl code 4
11-20 14:39:21.680 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x0490 : nChangeType: 8 on file# 599925684800021865

Debugging an Individual DHCP Server

  
<category name="Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsDHCP" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
    <category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
As with other plug-ins, we can put the full conversation in debug to see the flow of new events being discovered, pulled by the agent, and sent to QRadar
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740.thread.x0FA0 : CHECK File \\10.10.224.4\c$\windows\system32\dhcp\
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740.thread.x00DC : Log file reported as larger (was 3761 is now 3879).
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740 : File changed 8 - \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x1008 : RunControl code 4
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x1008 : nChangeType: 8 on file# 599911911201742195
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740.thread.x0648 : Log file reported as larger (was 2208 is now 2322).
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740 : File changed 8 - \\10.10.224.4\c$\windows\system32\dhcp\dhcpv6srvlog-fri.log11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740.thread.x0FA0 : Log file reported as modified (LastWriteTime was 3418620817 is now 3446221736). Likely not a problem (especially if a file rolls via deletion or truncation), but worth noting.
11-23 07:43:58.514 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Processed 2 event records.
11-23 07:43:58.514 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Timing info (continuous monitor): Processed 2 records in 0 msec.
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x0EF0 : RunControl code 4
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x0EF0 : nChangeType: 8 on file# 15283616884340280245
11-23 07:43:58.514 DEBUG Code.FileMonitorStatOnly.x1720740 : File changed 32770 - \\10.10.224.4\c$\windows\system32\dhcp\
11-23 07:43:58.514 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Processed 2 event records.
11-23 07:43:58.514 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Timing info (continuous monitor): Processed 2 records in 0 msec.
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x13AC : RunControl code 4
11-23 07:43:58.514 DEBUG Device.FileMonitorDevicePool.WindowsDHCP.x13AC : nChangeType: 32770 on file# 14683920749929202357
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Comparing files that are both active today: latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log challenger: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Thu.log
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : File that was deemed latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Comparing files that are both active today: latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log challenger: \\10.10.224.4\c$\windows\system32\dhcp\DhcpV6SrvLog-Fri.log
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : File that was deemed latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Comparing files that are both active today: latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log challenger: \\10.10.224.4\c$\windows\system32\dhcp\DhcpV6SrvLog-Thu.log
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : File that was deemed latest: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log
11-23 07:43:58.639 TRACE Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Re-enabling file system redirection for current thread.
11-23 07:43:58.639 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Updating a file to monitor: \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log
11-23 07:43:58.639 DEBUG Code.FileMonitorStatOnly.x1720740 : Adding monitor for \\10.10.224.4\c$\windows\system32\dhcp\DhcpSrvLog-Fri.log  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-23 07:43:58.639 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Updating a file to monitor: \\10.10.224.4\c$\windows\system32\dhcp\dhcpv6srvlog-fri.log
11-23 07:43:58.639 DEBUG Code.FileMonitorStatOnly.x1720740 : Adding monitor for \\10.10.224.4\c$\windows\system32\dhcp\dhcpv6srvlog-fri.log  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-23 07:43:58.639 DEBUG Device.WindowsDHCP.WindowsDHCPDeviceReader.10.10.224.4 : Detected a <modification> directory change!!!! \\10.10.224.4\c$\windows\system32\dhcp\
11-23 07:44:01.603 DEBUG Code.StoreAndForwardIncoming._consoletcp : Processing accepted for new message block (4 records)

Debugging DNS Debug

<category name="Device.WindowsDNS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsDNS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>

The output from this type of debugging contains entries like these:
11-23 09:01:57.734 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x1038 : RunControl code 1
11-23 09:01:57.734 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x1038 : NEW_DEVICE
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Ignoring non-matching file \\10.10.224.2\c$\Windows\System32\dns\backup...
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Ignoring non-matching file \\10.10.224.2\c$\Windows\System32\dns\cache.dns...
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Considering file \\10.10.224.2\c$\Windows\System32\dns\dns.log...
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Added a file to monitor: \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:01:57.749 INFO  Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Opened file \\10.10.224.2\c$\Windows\System32\dns\dns.log.
11-23 09:03:49.492 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x11F0 : RunControl code 4
11-23 09:03:49.492 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x11F0 : nChangeType: 10 on file# 10074138397379625349
11-23 09:03:49.570 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Processed 354 event records.
InFoX provides more output:
11-23 09:03:49.492 InfoX Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Detected a <mod bigger> file change, continue reading \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:03:49.570 InfoX Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Timing info (continuous monitor): Processed 354 records in 78 msec.

Debugging an Individual DNS Debug Log Source

  
<category name="Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsDNS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

As with other plug-ins, we can put the full conversation in debug to see the flow of new events being discovered, pulled by the agent, and sent to QRadar
11-23 09:01:57.734 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x1038 : RunControl code 1
11-23 09:01:57.734 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x1038 : NEW_DEVICE
11-23 09:01:57.734 DEBUG Code.FileMonitorStatOnly.xB71970 : Adding monitor for \\10.10.224.2\c$\Windows\System32\dns\  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Ignoring non-matching file \\10.10.224.2\c$\Windows\System32\dns\backup...
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Ignoring non-matching file \\10.10.224.2\c$\Windows\System32\dns\cache.dns...
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Considering file \\10.10.224.2\c$\Windows\System32\dns\dns.log...
11-23 09:01:57.749 DEBUG Code.FileMonitorStatOnly.xB71970 : Adding monitor for \\10.10.224.2\c$\Windows\System32\dns\dns.log  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-23 09:01:57.749 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Added a file to monitor: \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:01:57.749 INFO  Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Opened file \\10.10.224.2\c$\Windows\System32\dns\dns.log.
11-23 09:03:49.492 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x10D4 : CHECK File \\10.10.224.2\c$\Windows\System32\dns\
11-23 09:03:49.492 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x13A0 : CHECK File \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:03:49.492 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x13A0 : Log file reported as modified (LastWriteTime was 3846821293 is now 4097194914). Likely not a problem (especially if a file rolls via deletion or truncation), but worth noting.
11-23 09:03:49.492 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x13A0 : Log file reported as larger (was 1298074 is now 1382976).
11-23 09:03:49.492 DEBUG Code.FileMonitorStatOnly.xB71970 : File changed 10 - \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:03:49.492 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x11F0 : RunControl code 4
11-23 09:03:49.492 DEBUG Device.FileMonitorDevicePool.WindowsDNS.x11F0 : nChangeType: 10 on file# 10074138397379625349
11-23 09:03:49.492 InfoX Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Detected a <mod bigger> file change, continue reading \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:03:49.570 DEBUG Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Processed 354 event records.
11-23 09:03:49.570 InfoX Device.WindowsDNS.WindowsDNSDeviceReader.10.10.224.2 : Timing info (continuous monitor): Processed 354 records in 78 msec.
11-23 09:03:54.500 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x0AF8 : CHECK File \\10.10.224.2\c$\Windows\System32\dns\
11-23 09:03:54.500 DEBUG Code.FileMonitorStatOnly.xB71970.thread.x1290 : CHECK File \\10.10.224.2\c$\Windows\System32\dns\dns.log
11-23 09:03:54.718 DEBUG Code.StoreAndForwardIncoming._consoletcp : Processing accepted for new message block (354 records)

Debugging NPS/IAS

  
<category name="Device.WindowsIAS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsIAS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>

The output from this type of debugging contains entries like these:
11-24 10:24:37.972 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x0F3C : RunControl code 1
11-24 10:24:37.972 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x0F3C : NEW_DEVICE
11-24 10:24:37.993 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Considering IAS file \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log...
11-24 10:24:37.995 INFO  Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Adding a file to monitor (\\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log)
11-24 10:24:48.029 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x10C8 : RunControl code 4
11-24 10:24:48.029 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x10C8 : nChangeType: 10 on file# 299163592461544880
11-24 10:24:48.030 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Processed 2 event records.
11-24 10:24:48.030 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Timing info: Processed 2 records in 0 msec.

Debugging an Individual NPS/IAS Log Source

<category name="Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsIAS" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

As with other plug-ins, we can put the full conversation in debug to see the flow of new events being discovered, pulled by the agent.
11-24 10:24:37.972 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x0F3C : RunControl code 1
11-24 10:24:37.972 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x0F3C : NEW_DEVICE
11-24 10:24:37.993 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Considering IAS file \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log...
11-24 10:24:37.995 DEBUG Code.FileMonitorStatOnly.x2CC7F0 : Adding monitor for \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-24 10:24:37.995 INFO  Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Adding a file to monitor (\\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log)
11-24 10:24:48.028 DEBUG Code.FileMonitorStatOnly.x2CC7F0.thread.x0860 : CHECK File \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log
11-24 10:24:48.028 DEBUG Code.FileMonitorStatOnly.x2CC7F0.thread.x0860 : switching creds to 1523327380153906441
11-24 10:24:48.029 DEBUG Code.FileMonitorStatOnly.x2CC7F0.thread.x0860 : Log file reported as modified (LastWriteTime was 3526567437 is now 1920445474). Likely not a problem (especially if a file rolls via deletion or truncation), but worth noting.
11-24 10:24:48.029 DEBUG Code.FileMonitorStatOnly.x2CC7F0.thread.x0860 : Log file reported as larger (was 35580 is now 36137).
11-24 10:24:48.029 DEBUG Code.FileMonitorStatOnly.x2CC7F0 : File changed 10 - \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log
11-24 10:24:48.029 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x10C8 : RunControl code 4
11-24 10:24:48.029 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x10C8 : nChangeType: 10 on file# 299163592461544880
11-24 10:24:48.030 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Processed 2 event records.
11-24 10:24:48.030 DEBUG Device.WindowsIAS.WindowsIASDeviceReader.10.10.224.7 : Timing info: Processed 2 records in 0 msec.

Debugging ISA

<category name="Device.MicrosoftISA" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsISA" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x08E4 : RunControl code 1
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x08E4 : NEW_DEVICE
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsISA.x10A8 : RunControl code 1
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsISA.x10A8 : NEW_DEVICE
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Adding a file to monitor: \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:27.337 INFO  Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Opened file \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c.
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Adding a file to monitor: \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_WEB_000.w3c
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Web Proxy log fields.
11-24 11:03:27.337 INFO  Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Opened file \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_WEB_000.w3c.
11-24 11:03:37.461 DEBUG Device.FileMonitorDevicePool.WindowsISA.x13EC : RunControl code 4
11-24 11:03:37.461 DEBUG Device.FileMonitorDevicePool.WindowsISA.x13EC : nChangeType: 8 on file# 9598286780645028099
11-24 11:03:37.461 DEBUG Device.UnicodeLogFile.GrowBuffers : Lots of data available for current buffer size of 8192. Growing to 16384.
11-24 11:03:37.461 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:37.461 DEBUG Device.UnicodeLogFile.GrowBuffers : Lots of data available for current buffer size of 8192. Growing to 16384.
11-24 11:03:39.130 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Processed 119 event records.
11-24 11:03:39.130 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Timing info (continuous monitor): Processed 119 records in 1669 msec.
11-24 11:03:48.912 DEBUG Code.StoreAndForwardIncoming._greattimes : Processing accepted for new message block (119 records)

Debugging a Single ISA Log Source

  
<category name="Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.WindowsISA" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

As with other plug-ins, we can put the full conversation in debug to see the flow of new events being discovered, pulled by the agent.
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x08E4 : RunControl code 1
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsIAS.x08E4 : NEW_DEVICE
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsISA.x10A8 : RunControl code 1
11-24 11:03:27.306 DEBUG Device.FileMonitorDevicePool.WindowsISA.x10A8 : NEW_DEVICE
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Adding a file to monitor: \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c
11-24 11:03:27.337 DEBUG Code.FileMonitorStatOnly.x2F7AC0 : Adding monitor for \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:27.337 INFO  Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Opened file \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c.
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Adding a file to monitor: \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_WEB_000.w3c
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:27.337 DEBUG Code.FileMonitorStatOnly.x2F7AC0 : Adding monitor for \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_WEB_000.w3c  check: 5000  hCreds: 1523327380153906441  wantIdle: 0
11-24 11:03:27.337 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Web Proxy log fields.
11-24 11:03:27.337 INFO  Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Opened file \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_WEB_000.w3c.
11-24 11:03:37.461 DEBUG Code.FileMonitorStatOnly.x2F7AC0.thread.x1318 : CHECK File \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\
11-24 11:03:37.461 DEBUG Code.FileMonitorStatOnly.x2F7AC0.thread.x04C0 : CHECK File \\10.10.224.7\c$\Windows\System32\LogFiles\NPS\IN181124.log
11-24 11:03:37.461 DEBUG Code.FileMonitorStatOnly.x2F7AC0.thread.x0860 : Log file reported as larger (was 122475385 is now 122501232).
11-24 11:03:37.461 DEBUG Code.FileMonitorStatOnly.x2F7AC0 : File changed 8 - \\10.10.224.6\C$\Program Files\Microsoft Forefront Threat Management Gateway\Logs\ISALOG_20181124_FWS_000.w3c
11-24 11:03:37.461 DEBUG Device.FileMonitorDevicePool.WindowsISA.x13EC : RunControl code 4
11-24 11:03:37.461 DEBUG Device.FileMonitorDevicePool.WindowsISA.x13EC : nChangeType: 8 on file# 9598286780645028099
11-24 11:03:37.461 DEBUG Device.UnicodeLogFile.GrowBuffers : Lots of data available for current buffer size of 8192. Growing to 16384.
11-24 11:03:37.461 DEBUG Device.MicrosoftISA.WindowsISA.PayloadSink.GetIdFromFilename : ISA log file is w3c format, using columns for Firewall log fields.
11-24 11:03:37.461 DEBUG Device.UnicodeLogFile.GrowBuffers : Lots of data available for current buffer size of 8192. Growing to 16384.
11-24 11:03:39.130 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Processed 119 event records.
11-24 11:03:39.130 DEBUG Device.MicrosoftISA.MicrosoftISADeviceReader.10.10.224.6 : Timing info (continuous monitor): Processed 119 records in 1669 msec.
11-24 11:03:48.912 DEBUG Code.StoreAndForwardIncoming._greattimes : Processing accepted for new message block (119 records)

Debugging Exchange

  
<category name="Device.MicrosoftExchange" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.MicrosoftExchange" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-24 19:43:17.312 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1344 : RunControl code 4
11-24 19:43:17.312 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1344 : nChangeType: 0 on file# 14617031193970708234
11-24 19:43:17.312 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle locking: \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log
11-24 19:43:17.312 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle calling GatherFromFile: \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log (File# 14617031193970708234)
11-24 19:43:17.313 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24
11-24 19:43:17.313 DEBUG Device.MicrosoftExchange.PayloadSink : Retrieving fields for file \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log'   category ex format W3C protocol OWA
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload

Debugging an Individual Exchange Log Source

Here we recommend TRACE for the actual log source in question. It gives a specific view into the events being parsed.
As with other plug-ins, we can put the full conversation in debug to see the flow of new events being discovered, pulled by the agent, and sent to QRadar.
<category name="Device.MicrosoftExchange.DeviceReader.10.10.224.5" additivity="false">       
        <priority value ="TRACE" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.MicrosoftExchange" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG"  />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category> 
Message Tracking Logs
11-24 19:43:16.510 DEBUG Code.FileMonitorNoFSRedirect.x4D5670.thread.x106C : Check Action on \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1 using hCreds 1523327380153906441
11-24 19:43:17.310 DEBUG Code.FileMonitorNoFSRedirect.x4D5670.thread.x11D0 : Check Action on \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log using hCreds 1523327380153906441
11-24 19:43:17.312 DEBUG Code.FileMonitorNoFSRedirect.x4D5670 : File changed 0 - \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log
11-24 19:43:17.312 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1344 : RunControl code 4
11-24 19:43:17.312 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1344 : nChangeType: 0 on file# 14617031193970708234
11-24 19:43:17.312 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle locking: \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log
11-24 19:43:17.312 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle calling GatherFromFile: \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log (File# 14617031193970708234)
11-24 19:43:17.313 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24
11-24 19:43:17.313 DEBUG Device.MicrosoftExchange.PayloadSink : Retrieving fields for file \\ex01.pain.lab\C$\inetpub\logs\LogFiles\W3SVC1\u_ex181124_x.log'   category ex format W3C protocol OWA
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24
11-24 19:43:17.314 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:17.315 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : no events
11-24 19:43:17.315 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : done
11-24 19:43:17.315 InfoX Device.MicrosoftExchange.DeviceReader.10.10.224.5 : GatherFromFile u_ex181124_x.log  3 records parsed, 0 records skipped, in 0 msecs
11-24 19:43:17.317 DEBUG Code.StoreAndForwardIncoming._greattimes : Processing accepted for new message block (3 records)
 
SMTP
11-24 19:43:20.411 DEBUG Code.FileMonitorNoFSRedirect.x4D5670 : File changed 0 - \\ex01.pain.lab\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV20181124-1.LOG
11-24 19:43:20.411 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x10F4 : RunControl code 4
11-24 19:43:20.411 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x10F4 : nChangeType: 0 on file# 15162873453123254251
11-24 19:43:20.411 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle locking: \\ex01.pain.lab\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV20181124-1.LOG
11-24 19:43:20.411 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : ProcessOnIdle calling GatherFromFile: \\ex01.pain.lab\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV20181124-1.LOG (File# 15162873453123254251)
11-24 19:43:20.412 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24T23:42:46.548Z
11-24 19:43:20.412 DEBUG Device.MicrosoftExchange.PayloadSink : Retrieving fields for file \\ex01.pain.lab\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV20181124-1.LOG'   category sm format SMTP protocol SMTP
11-24 19:43:20.413 DEBUG Device.UnicodeLogFile.GrowBuffers : Lots of data available for current buffer size of 8192. Growing to 16384.
11-24 19:43:20.413 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:20.413 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24T23:42:46.548Z
11-24 19:43:20.413 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:20.413 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : parsed event: 2018-11-24T23:42:46.548Z
11-24 19:43:20.413 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : generated payload
11-24 19:43:20.414 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : no events
11-24 19:43:20.414 TRACE Device.MicrosoftExchange.DeviceReader.10.10.224.5 : done
11-24 19:43:20.414 InfoX Device.MicrosoftExchange.DeviceReader.10.10.224.5 : GatherFromFile SmtpReceive\RECV20181124-1.LOG  3 records parsed, 0 records skipped, in 16 msecs
11-24 19:43:22.417 DEBUG Code.StoreAndForwardIncoming._greattimes : Processing accepted for new message block (3 records)

Debugging NetAPP

<category name="Device.NetApp" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.NetApp" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
The output from this type of debugging contains entries like these:
11-26 11:03:52.842 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Read from persistence a timestamp of 1540525677 with cursor 8648
11-26 11:04:12.924 DEBUG Device.FileMonitorDevicePool.NetApp.x111C : RunControl code 4
11-26 11:04:12.924 DEBUG Device.FileMonitorDevicePool.NetApp.x111C : nChangeType: 0 on file# 7664198343985453965
11-26 11:04:12.986 DEBUG Device.NetApp.NetAppDeviceReader.10.10.224.18 : Saving bookmark NetApp_10.10.224.18  cursor 8665  timestamp 1540525677

Debugging an Individual NetAPP Log Source

  
<category name="Device.NetApp.NetAppDeviceReader.10.10.224.18" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
 
<category name="Device.FileMonitorDevicePool.NetApp" additivity="false">       
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
</category>
  
    <category name="Code.StoreAndForwardIncoming" additivity="false">
        <priority value ="TRACE" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
     
    <category name="Code.FileMonitorNoFSRedirect" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Code.FileMonitorStatOnly" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>
 
    <category name="Device.WindowsLog.W2K8.localhost" additivity="false">
        <priority value ="DEBUG" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

For NetApp, we recommend using most of the debug paths above, even when investigating all NetAPP log sources, but it is quite chatty. The output from this type of debugging looks like this:
11-26 11:03:52.795 INFO  Device.Service.NetAppDevice : Initializing NetApp Device Service...
11-26 11:03:52.795 INFO  Device.Service.NetAppDevice : NetApp Device Service: Overriding thread pool type with type AdaptiveThreadPool.
11-26 11:03:52.796 DEBUG Code.Statistics : Starting transaction to Register SimpleEPS NetApp.10.10.224.18.\\10.10.224.18\audit
11-26 11:03:52.797 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Monitoring NetApp logs on target directory \\10.10.224.18\audit every 20000 msec
11-26 11:03:52.797 INFO  Device.Service.NetAppDevice : NetApp Device Service initialized.
11-26 11:03:52.797 INFO  System.ComponentFactory : Service DeviceNetApp v7.2.8 initialized
11-26 11:03:52.841 DEBUG Code.FileMonitorNoFSRedirect.x1498A0 : stat on \\10.10.224.18\audit -- res -1  errno 2
11-26 11:03:52.841 DEBUG Code.FileMonitorNoFSRedirect.x1498A0 : Adding monitor for \\10.10.224.18\audit (file# 7664198343985453965)  check: 20000  hCreds: 1523327380153906441  wantIdle: 1
11-26 11:03:52.842 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Read from persistence a timestamp of 1540525677 with cursor 8648
11-26 11:04:12.924 DEBUG Code.FileMonitorNoFSRedirect.x1498A0.thread.x0950 : Check Action on \\10.10.224.18\audit using hCreds 1523327380153906441
11-26 11:04:12.924 DEBUG Code.SecurityManager : SetCredentialsForThread user administrator hLogin=1856 creds=1523327380153906441
11-26 11:04:12.924 DEBUG Code.FileMonitorNoFSRedirect.x1498A0.thread.x0950 : stat on \\10.10.224.18\audit -- res -1  errno 2
11-26 11:04:12.924 DEBUG Code.FileMonitorNoFSRedirect.x1498A0 : File changed 0 - \\10.10.224.18\audit
11-26 11:04:12.924 DEBUG Device.FileMonitorDevicePool.NetApp.x111C : RunControl code 4
11-26 11:04:12.924 DEBUG Device.FileMonitorDevicePool.NetApp.x111C : nChangeType: 0 on file# 7664198343985453965
11-26 11:04:12.924 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : GetEventFiles from \\10.10.224.18\audit\ after 1540525677
11-26 11:04:12.924 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : GetEventFiles the latest file is \\10.10.224.18\audit\audit_eng_last.evtx created 1540525677
11-26 11:04:12.924 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Adding updated file: \\10.10.224.18\audit\audit_eng_last.evtx  created: 1540525677  updated: 1543230173
11-26 11:04:12.924 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Gathering events from \\10.10.224.18\audit\audit_eng_last.evtx...
11-26 11:04:12.924 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : Loaded 26 raw messages from file C:\ProgramData\WinCollect\Data\EventLogMessageCache\cachedata\NetApp\RawMessages.dat
11-26 11:04:12.924 InfoX Device.WindowsLog.W2K8.localhost.LogFile : Initialized: batchSize:512 evtsPerPass:1024 startDelay:0ms polling:20000ms txSIDs:1 ADLookup:0 startTM:20181126.150412.924324500 startRN:0
11-26 11:04:12.924 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : Collect called with no query handle; opening new query...
11-26 11:04:12.939 InfoX Device.WindowsLog.W2K8.localhost.LogFile : Jumping to offset 8647
11-26 11:04:12.971 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : Received 17 events
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : Initializing: NetApp-Security-Auditing, File: \\10.10.224.18\audit\audit_eng_last.evtx, handle: 0x14
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : loaded 16 levels
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : loaded 1 tasks
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : loaded 8 keywords
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : loaded 26 opcodes
11-26 11:04:12.986 DEBUG Device.WindowsLog.W2K8.localhost.LogFile : Returning 17 event payload results.
11-26 11:04:12.986 InfoX Device.NetApp.NetAppDeviceReader.10.10.224.18 : Collected 17 events from \\10.10.224.18\audit\audit_eng_last.evtx in 0.054 secs, posted in 0.000 secs, cursor: 8665
11-26 11:04:12.986 DEBUG Device.NetApp.NetAppDeviceReader.10.10.224.18 : Saving bookmark NetApp_10.10.224.18  cursor 8665  timestamp 1540525677
11-26 11:04:22.767 DEBUG Code.StoreAndForwardIncoming._goodtimes : Processing accepted for new message block (17 records)
 

RAW Payload viewing with TCP destinations


If you want to see what the agent is actually sending, modify logconfig.xml and add the following entry:
  
    <category name="Code.TCPSocket" additivity="false">
        <priority value ="TRACE" descr="Other levels available: INFO, FATAL, ERROR, WARN, InfoX, DEBUG, TRACE" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

 
For a specific destination, add the full destination in
  
    <category name="Code.TCPSocket.10.10.233.214" additivity="false">
        <priority value ="TRACE" descr="Other levels available: INFO, FATAL, ERROR, WARN, InfoX, DEBUG, TRACE" />
        <appender-ref ref="WinCollectLogs"/>
        <appender-ref ref="LogMonitor"/>
    </category>

NOTE: This output is VERY chatty. Leave it on for short bursts if you are looking to see the payload being sent.
01-04 10:49:25.786 TRACE Code.TCPSocket.10.10.233.214:514 : Sending payload size 1849 => 851 : <13>Jan 04 10:49:24 10.10.228.201 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.2.8.145    Source=Microsoft-Windows-Security-Auditing    Computer=steven8.pain.lab    OriginatingComputer=10.10.228.201    User=    Domain=    EventID=5156    EventIDCode=5156    EventType=8    EventCategory=12810    RecordNumber=80173317    TimeGenerated=1546613362    TimeWritten=1546613362    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_OBJECTACCESS_FIREWALLCONNECTION    Opcode=Info    Message=The Windows Filtering Platform has permitted a connection.  Application Information:  Process ID:  4  Application Name: System  Network Information:  Direction:  Outbound  Source Address:  10.10.228.201  Source Port:  49190  Destination Address: 10.10.131.232  Destination Port:  443  Protocol:  6  Filter Information:  Filter Run-Time ID: 113613  Layer Name:  Connect  Layer Run-Time ID: 48
01-04 10:49:25.786 TRACE Code.TCPSocket.10.10.233.214:514 : Sent 852 bytes successfully.
 

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 April 2022

UID

ibm16404330

Page Feedback