Email: [email protected]    |    Phone: (+91)-9999-508-202

Trainings

Sending Windows Logs to Qradar

Windows logs give QRadar important information about user activity and system events on Windows-based devices. These logs cover a range of event categories and are usually obtained by Windows Event Forwarding (WEF) or the QRadar Windows Event Log Adapter.

Introduction

Prerequisites

Before we dive into the configuration steps, ensure you have the following prerequisites:

    • QRadar SIEM: Installed and running.
    • Windows Server/Workstation: From which logs will be sent.
    • WinCollect: IBM’s log collection software for Windows.

Step 1: Setup WinCollect

WinCollect is an essential component for forwarding Windows logs to QRadar. It can be installed either as a stand-alone agent or managed directly from QRadar. For this guide, we will use the managed method.

Download WinCollect:

Obtain the WinCollect installer from the IBM website. Here is the link = Click me

  1. WinCollect Agent EXE
  2. WinCollect Agent Patch Installer

Install WinCollect:

The WinCollect agent is a lightweight Windows log collector used by IBM QRadar to collect, parse, and send Windows event logs to the QRadar SIEM. It is commonly deployed on Windows systems to gather security-related events from various sources such as the Windows Event Log, and then forward them to QRadar for analysis and correlation.

First, run the WinCollect Agent EXE on your Windows machine and follow the below steps. You can customize the user name and fill up the Organization name.

Select wincollect agent type then you can write the Log source name and identifier.

Fill in your Destination name, and host IP (enter your Qradar IP) and the Port will be the same 514, click the next two times then again enter your host IP with the port, and then you can only press the next.

In the next steps, you can only press Next, install, and finish.

Set-up WinCollect Agent Patch Installer
Now we set up the wincollect Agent patch installer. The WinCollect Agent Patch Installer is a utility provided by IBM to update or patch the existing WinCollect agents.
Now run the WinCollect Agent Patch Installer on your Windows machine and follow the below steps:

Filled your User Name and Organization the same as you filled in during Win collect agent configurations.

In the next steps, you can only press Next, install, and finish.

Log in to QRadar

  • Access your QRadar Web console
  • You can see Wincollect successfully forwarded logs to Qradar