IBM QRADAR WINCOLLECT AGENT INSTALLATION AND CONFIGURATION

IBM QRADAR WINCOLLECT AGENT INSTALLATION AND CONFIGURATION

Download wincollect agent and wincollect management console 

http://www-01.ibm.com/support/docview.wss?uid=swg27045054

Managed Mode

1. Only wincollect will be installed at client end

2. SIEM Server will manage wincollect agent configuration and updates

Un-Manged Mode
1. Wincollect & Management console will be installed at client end 
2. Agent will be stand alone and all configurations will be at client end. wincollect updates will also be independent from server

How to install WinCollect agent in Managed and Un-Managed (Standalone) mode

2. Right click on the wincollect-7.2.2-.exe and "run as administrator"

3. Click next


4. Click "I accept the terms in the license agreement" and click next


5. Leave the "User Name:" and "Organization:" field default and click next


6. Select the path to install wincollect. The selected installation path should have enough space for wincollect log caching.


7. In un-managed mode leave all fields blank and click next.
In SIEM Server managed mode put following fields.
Host Identifier: IP or Hostname as you wish.
Authentication Token: Token should be taken from SIEM Server Admin tab --> User management --> Authorized services
Configuration Console: Siem server ip and port (8413)
Syslog Status Server: leave it blank if your siem is all in one, otherwise put your syslog server's IP
Click Next


8. In un-managed mode leave all fields blank and click next.
In managed mode put following fields
If you want to create a log source automatically in SIEM Server then select "Enable Automatic Log Source Creation" and put following details.
Log Source Name: Any descriptive name 
Log Source Identifier: IP/hostname you already put in last step "Host Identifier" field
Select Event logs which you want to collect and click next.


9. In un-managed mode leave all fields blank and click next.
In Managed Mode leave it blank and click next


10. Click install


11. Click finish



Install Management Console for Un-Managed wincollect agent.

1. Right click the stand alone 


2. Click


3. Click


4. Click


5. Click


6. Click


7. Click


8. Click

How to Configure stand alone wincollect at client end.

1. Goto Start and open "WinCollect Configuration Console"

2. Expand "Destinations" and right click "Syslog UDP" then "Add New Destination"


3. Put Destination name "SIEM" and press "OK"


4. Add IP of the SIEM Server in Hostname field and click "Deploy" at right pane.


5. Expand devices section and right click "Microsoft Windows Event Logs" then "Add New Device" 


6. Put the name of the log source and press ok


7. Put "Device Address" as IP and select "Security", "System", "Application" options for logs
Add destination by clicking on "Add", which we have created in first section named "SIEM" and "Deploy Changes" in right pane



It will start sending logs to the SIEM Destination.

File Forwarder Stand alone mode

1. In Devices section right click "IBM File Forwarder" and "Add New Device"


2. Put name of device and press OK


3. Put "Device Address" then "Root Directory"-(path of log files to collect)
Add "Destination Required" which we have added previously by the name of SIEM and "Deploy Changes"


Its complete at client end, now you have to check it in SIEM server and add it in "Log Source" option of Admin tab if not added by itself.

Ports Required to start communication between SIEM Server and Wincollect agent.

TCP: 8413, 443 (Bi-Directional - SIEM Server end, Wincollect end)

UDP: 514 (SIEM Server end)

IBM WINCOLLECT INSTALLATION AND CONFIGURATION
IBM QRADAR WINCOLLECT INSTALLATION AND CONFIGURATION
STEP BY STEP WINCOLLECT INSTALLATION AND CONFIGURATION
WINCOLLECT INSTALLATION AND CONFIGURATION GUIDE