QWAD WinCollect Assisted Deployment

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to QRadar.

In either a stand-alone or managed deployment scenario WinCollect can provide an efficient and convenient way to feed log data to SIEM solution, not limited to the native Windows audit journals but including also most of the major Windows services like IIS, DHCP, DNS and others.

Many security architects do realize that integration of the third-party agents into a corporate network is not an easy process.

Even if all corporate standards of minor impact on performance, code sustainability and supportability are passed, agents still have to be deployed and configured within the infrastructure. This task requires permanent coordination with operating systems admins, automation tools for deployment, monitoring tools integration, manual interaction for specific log sources configuration on each and every target system, troubleshooting and upgrade policies implementation, and a lot more.

Just think of one single tool that will allow to cover all of these tasks right from the QRadar user interface.

That is exactly what QRadar WinCollect Assisted Deployment (QWAD) is for. Once installed, you can easily cover the following scenarios with this application:

  • Deploy WinCollect agent all over the infrastructure*, utilizing different deployment, authentication and host profiles for maximum flexibility;
  • Automatically configure all of the log source types supported by WinCollect**, and configure custom logs polling;
  • Filter out unnecessary events with X-Path;
  • Deploy and configure Sysmon along with WinCollect;
  • Monitor for agents status, download remote agent logs for troubleshooting;
  • Perform remote upgrade, re-configure agents (detect new Windows services) without re-installation;
  • Avoid manual log sources addition to QRadar, all the auto-configured log sources will be auto-detected and appear in QRadar automatically;
  • Plan and organize security-related infrastructure separately from operating systems infrastructure;

QWAD can be used without any limitations in licensed mode.

Non-licensed mode is limited to three (3) target Windows hosts only.

*Operating Systems Supported:

  • Microsoft Windows 7
  • Microsoft Windows 10
  • Microsoft Windows 2003 Server
  • Microsoft Windows 2008 Server
  • Microsoft Windows 2008R2 Server
  • Microsoft Windows 2012 Server
  • Microsoft Windows 2012R2 Server
  • Microsoft Windows 2016 Server
  • Microsoft Windows 2019 Server

 

**Auto-configured Log Source Types:

  • Microsoft Windows Security Log
  • Microsoft Windows Application Log
  • Microsoft Windows System Log
  • Microsoft Directory Service Log
  • Microsoft File Replication Service Log
  • Microsoft Forwarded Event Log
  • Microsoft SQL Log
  • Microsoft IIS Log
  • Microsoft DHCP Logs
  • Microsoft Exchange: Outlook Web Access events (OWA)
  • Microsoft Exchange: Simple Mail Transfer Protocol events (SMTP)
  • Microsoft Exchange: Message Tracking Protocol events (MSGTRK)
  • Microsoft DNS Debug Logs
  • XPath Query and Sysmon Logs
  • Custom Plain-Text Logs
  • Custom IIS-Formatted Logs