- play_arrow What's New in WinCollect
- play_arrow WinCollect Overview
- play_arrow Installation Prerequisites for WinCollect
- play_arrow WinCollect installations
- WinCollect installations
- Installing and Upgrading the WinCollect Application on JSA Appliances
- Creating an Authentication Token for WinCollect Agents
- Adding Multiple Destinations to WinCollect Agents
- Migrating WinCollect Agents After a JSA Hardware Upgrade
- Stand-alone WinCollect Installations
- WinCollect Configuration Console Overview
- Installing the Configuration Console
- Silently Installing, Upgrading, and Uninstalling WinCollect Software
- Setting an XPath Parameter During Automated Installation
- Migrating from Adaptive Log Exporter to WinCollect
- Installing the WinCollect Agent on a Windows Host
- Installing a WinCollect Agent from the Command Prompt
- Uninstalling a WinCollect Agent from the Command Prompt
- Uninstalling a WinCollect Agent from the Control Panel
- play_arrow Log Sources for WinCollect Agents
- Log Sources for WinCollect Agents
- Windows Event Logs
- Microsoft DHCP Log Source Configuration Options
- Microsoft Exchange Server Log Source Configuration Options
- DNS Debug Log Source Configuration Options
- Collecting DNS Analytic Logs by Using XPath
- File Forwarder Log Source Configuration Options
- Microsoft IAS Log Source Configuration Options
- WinCollect Microsoft IIS Log Source Configuration Options
- Microsoft ISA Log Configuration Options
- Juniper Steel-Belted Radius Log Source Configuration Options
- Microsoft SQL Server Log Source Configuration Options
- NetApp Data ONTAP Configuration Options
- Configuring a TLS Log Source
- Adding a Log Source to a WinCollect Agent
- Bulk Log Sources for Remote Event Collection
- play_arrow Troubleshooting WinCollect Deployment Issues
- Troubleshooting WinCollect Deployment Issues
- Common Problems
- Replacing the Default Certificate in JSA Generates Invalid PEM Errors
- The Statistics Subsystem
- Event ID 1003 Splits the Message in JSA
- WinCollect Files are Not Restored During a Configuration Restore
- Windows 10 (1803) Cannot Read the Security Bookmark File
- Resolving Log Source Error After WinCollect Update
- WinCollect Log File
WinCollect Destinations
WinCollect destinations define the parameters for how the WinCollect agent forwards events to the Event Collector or JSA Console.
Adding a Destination
To assign where WinCollect agents in your deployment forward their events, you can create destinations for your WinCollect deployment.
Click the Admin tab.
On the navigation menu, click Data Sources.
Click the WinCollect icon.
Click Destinations and then click Add.
Configure the parameters.
The following table describes some of the parameters
Table 1: Destination Parameters Parameter
Description
Name
Used on the agent side for log source creation.
Note:The destination name is used during automatic log source creation and must exist before the installation runs. Verify the destination name in JSA before starting the installation.
Hostname
The host name or IP address of the destination JSA appliance.
Port
JSA receives events from WinCollect agents on either UDP or TCP port 514.
For TLS protocol, the default port is 6514.
Protocol
The communication channel between JSA and WinCollect agents. Select UDP, or TCP, or TCP/TLS (Encrypted).
Certificate
The TLS certificate of the destination device.
Copy the certificate from /opt/qradar/conf/trusted_certificates/syslog-tls.cert on the destination device and paste in the Certificate field.
Note:The Certificate field displays when TCP/TLS (Encrypted) is selected from the Protocol list.
Throttle (events per second)
Defines a limit to the number of events that the WinCollect agent can send each second.
Schedule Mode
If you select the Forward Events option, the WinCollect agent forwards events within a user-defined schedule. When the events are not being forwarded, they are stored until the schedule runs again.
If you select the Store Events option, the WinCollect agent stores events to disk only within a user-defined schedule and then forwards events to the destination as specified.
Click Save.
Adding a Secondary Destination
You can add a secondary destination to receive events from your WinCollect agents if the primary destination fails.
Adding a secondary destination is available in JSA 7.4.3 and later.
Use the following procedure to add a JSA host as a secondary destination to an existing primary destination. For more information about adding a secondary destination during the installation process, see Adding a Destination.
To specify a secondary destination, you must select TCP.
Click the Admin tab.
On the navigation menu, click Data Sources.
Click WinCollect > Destinations.
4. Select a destination and click Edit.
Select the TCP Protocol.
Enter the hostname or IP address of the JSA appliance you want to use as a Secondary Destination.
In the Secondary Failover (seconds) field, enter the number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.
Click Save.
Deleting a Destination from WinCollect
If you delete a destination, the event forwarding parameters are removed from the WinCollect agent.
Destinations are a global parameter. If you delete a destination when log sources are assigned to the destination, the WinCollect agent cannot forward events. Event collection is stopped for a log source when an existing destination is deleted. Events on disk that were not processed are discarded when the destination is deleted.
Click the Admin tab.
On the navigation menu, click Data Sources.
Click the WinCollect icon.
Click Destinations.
Select the destination that you want to delete and click Delete.
Scheduling Event Forwarding and Event Storage for WinCollect Agent
Use a schedule to manage when WinCollect agents forward or store events to disk in your deployment.
Schedules are not required. If a schedule does not exist, the WinCollect agent automatically forwards events and stores them only when network limitations cause delays.
You can create schedules for your WinCollect deployment to assign when the WinCollect agents in your deployment forward their events. Events that are unable to be sent during the schedule are automatically queued for the next available interval.
Click the Admin tab.
On the navigation menu, click Data Sources.
Click the WinCollect icon.
Click Schedules.
Click Add and then click Next.
Configure the parameters, and select a check box for each day of the week that you want included in the schedule.
Click Next.
To add a destination to the schedule, from the Available Destinations list, select a destination and click the selection symbol, >.
Click Next and then click Finish.
