Skip to content

Instantly share code, notes, and snippets.

@infamousjoeg

infamousjoeg/QRadar_WinCollect_APPAudit.md

Created June 6, 2024 12:45
Show Gist options
  • Save infamousjoeg/9f35d8730741cc575dc5c20e48fbad8d to your computer and use it in GitHub Desktop.
Save infamousjoeg/9f35d8730741cc575dc5c20e48fbad8d to your computer and use it in GitHub Desktop.
Download ZIP
Setup WinCollect agent for QRadar SIEM to consume APPAudit.log for CP, CCP & ASCP
Raw
QRadar_WinCollect_APPAudit.md

To send data from a flat-file log on a server to QRadar, you need to set up a log source in QRadar to collect and process the logs. Here’s a step-by-step guide to accomplish this:

1. Install WinCollect on the Server

WinCollect is a Windows-based agent provided by IBM for QRadar to collect logs. Here are the steps to install and configure it:

  • Download and Install WinCollect: Download the WinCollect agent from IBM's website and install it on your server.
  • Configure the WinCollect Agent: During installation, configure the agent to point to your QRadar instance.

2. Configure WinCollect to Monitor the Log File

  • Open the WinCollect Configuration Console.
  • Add a new log source:
    • Log Source Name: Give a descriptive name.
    • Log Source Identifier: This should be unique for each log source.
    • Log Source Type: Choose MS Windows Event Log or MS Windows Event Log - Local.
  • For file monitoring, you need to configure the agent to read the APPAudit.log file:
    • Go to the Log Source Parameters.
    • Set the Log File Path to C:\Program Files\CyberArk\ApplicationPasswordProvider\Logs\APPAudit.log.

3. Configure the Log Source on QRadar

  • Add Log Source: Go to the Admin tab in QRadar and click on Log Sources under Data Sources.
  • Create New Log Source:
    • Log Source Type: Choose WinCollect.
    • Protocol Configuration: Select the protocol that matches your configuration (e.g., Syslog if using Syslog protocol).
    • Log Source Identifier: Enter the identifier you configured in WinCollect.
    • Log Source Parameters:
      • Log Source Type: Set as Microsoft Windows Security Event Log or another appropriate type.
      • Hostname or IP Address: Enter the IP address of the server where WinCollect is installed.
    • Advanced Options: Configure any additional options needed for your environment.

4. Start WinCollect and Verify Data Collection

  • Start the WinCollect service on the server.
  • Verify that the data is being sent to QRadar:
    • Go to the Log Activity tab in QRadar.
    • Filter logs based on your new log source to ensure logs are being received.

Example Script for Automating Log Forwarding (Optional)

If you prefer scripting the log forwarding, you can use a PowerShell script to send logs to QRadar via Syslog:

$logFile = "C:\Program Files\CyberArk\ApplicationPasswordProvider\Logs\APPAudit.log"
$qradarIp = "QRADAR_SERVER_IP"
$qradarPort = 514

Get-Content -Path $logFile -Tail 0 -Wait | ForEach-Object {
    $logEntry = $_
    $syslogMessage = "<134>1 $(Get-Date -Format o) $(hostname) - - - $logEntry"
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $udpClient.Connect($qradarIp, $qradarPort)
    $encodedMessage = [System.Text.Encoding]::UTF8.GetBytes($syslogMessage)
    $udpClient.Send($encodedMessage, $encodedMessage.Length)
    $udpClient.Close()
}

Replace QRADAR_SERVER_IP with your QRadar server's IP address. Save this script as SendLogsToQRadar.ps1 and run it on the server.

This will continuously send new log entries from the APPAudit.log file to QRadar over UDP Syslog.

Summary

  1. Install and configure WinCollect on the server.
  2. Configure WinCollect to monitor the specific log file.
  3. Add a corresponding log source in QRadar.
  4. Verify log data collection in QRadar.

This setup will ensure that your flat-file log data from APPAudit.log is sent to and processed by QRadar efficiently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment