Friday, 24 April 2015

IBM QRADAR WINCOLLECT AGENT INSTALLATION AND CONFIGURATION

WinCollect Agent Installation, Configuration and Troubleshooting

NOTE: Always install wincollect agent with Admin privileges
Always stop service then start
Always stop service before uninstalling wincollect agent
Always delete previous wincollect agent folder in hard drive in case of re-installation

WinCollect Installation Steps:
1. Always install wincollect agent with Admin privileges

2. Click Next

3. Accept the agreement and Click Next

4. Let the user name and organization as it is and Click Next

5. Select the Installation path if you have space in C: drive then leave it as  it is other wise change it
Note: Wincollect can cache 600MB (as per setting) logs in default path

6. Put Host Identifier as IP or Hostname then Authentication token then SIEM Server or log collector ip in "Configuration Console (host and port):" and leave the "Syslog Status Server ..." section blank and click Next.
Note:Authentication Token can be taken from SIEM server Web Console "Admin" tab then "User Management" Section and "Authorized services"

7. Click "Enable Automatic Log Source Creation" and put log source name which will appear in SIEM and log source identifier as IP or Hostname which was selected in previous section Host Identifier.

8. Click Next without any changes

9. Click Install

10. Click Finish

WinCollect DSM Configuration Steps

To collect Multiple logs from one server like OS logs and any .txt or .log file of any application on that server. Follow below steps for DSM Configuration
1. Add a DSM to Collect OS Logs and select "security", "system", and "application" or as per requirement.
2. Add a DSM to Collect .txt or .log file logs from same server

1 comment:

  1. Hi Arfan,

    I followed your steps, it worked perfect. Later on when we upgraded the server to 2008 and installed the Wincollect the logs wont show up.

    ReplyDelete