WinCollect Overview

The WinCollect application is a Syslog event forwarder that administrators can use for Windows event collection with JSA. The WinCollect application can collect events from systems with WinCollect software installed (local systems), or remotely poll other Windows systems for events.

WinCollect is one of many solutions for Windows event collection. For more information about alternatives to WinCollect, see the Juniper Secure Analytics Configuring DSMs Guide.

How Does WinCollect Work?

WinCollect uses the Windows Event Log API to gather events, and then WinCollect sends the events to JSA.

WinCollect Managed Deployment

A managed WinCollect deployment has a JSA appliance that shares information with the WinCollect agent installed on the Windows hosts that you want to monitor. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to JSA.

Note

In a managed deployment, the WinCollect agents that are installed on Windows hosts can be managed by either a JSA console or a JSA Managed Host.

WinCollect works best when a managed deployment monitors up to 500 Windows agents. If you want to monitor more than 500 Windows hosts, the suggested proven practice is to use the stand-alone WinCollect deployment. For more information, see Stand-alone Deployments and WinCollect Configuration Console.

The managed WinCollect deployment has the following capabilities:

Central management from the JSA Console or managed host.
Automatic local log source creation at the time of installation.
Event storage to ensure that no events are dropped.
Collects forwarded events from Microsoft Subscriptions.
Filters events by using XPath queries or exclusion filters.
Supports virtual machine installations.
Console can send software updates to remote WinCollect agents without you reinstalling agents in your network.
Forwards events on a set schedule (Store and Forward)

WinCollect Stand-alone Deployment

If you need to collect Windows events from more than 500 hosts, use the stand-alone WinCollect deployment. A stand-alone deployment is a Windows host in unmanaged mode with WinCollect software installed. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to JSA. To save time when you configure more than 500 Windows hosts, you can use a solution such as Juniper Networks Endpoint Manager. Automation can help you manage stand-alone instances.

You can also deploy stand-alone WinCollect to consolidate event data on one Windows host, where WinCollect collects events to send to JSA.

Stand-alone WinCollect mode has the following capabilities:

You can configure each WinCollect agent by using the WinCollect Configuration Console.
You can update WinCollect software with the software update installer.
Event storage to ensure that no events are dropped.
Collects forwarded events from Microsoft Subscriptions.
Filters events by using XPath queries or exclusion filters.
Supports virtual machine installations.
Supports TLS Syslog.
Automatically create a local log source at the time of agent installation.

Setting Up a Managed WinCollect Deployment

For a managed deployment, follow these steps:

Understand the prerequisites for managed WinCollect, which ports to use, what hardware is required, how to upgrade. For more information, see Installation Prerequisites for WinCollect.
Install the WinCollect application on the JSA console that is used to monitor your Windows hosts. For more information, see Installing and Upgrading the WinCollect Application on JSA Appliances.
Create an authentication token so that the Windows hosts can send information to JSA. For more information, see Creating an Authentication Token for WinCollect Agents.
Install the WinCollect agent on the Windows hosts. For more information, see one of the following options:
If you want to add bulk log sources by using domain controllers in your deployment, see Bulk Log Sources for Remote Event Collection.
If you want to configure forwarded events, or event subscriptions, see Windows event subscriptions for WinCollect agentsTo provide events to a single WinCollect agent, you can use Windows event subscriptions to forward events. With event subscriptions configured, numerous Windows hosts can forward their events to IBM Security QRadar without administrator credentials..
If you want to tune your WinCollect installation, see the event tuning profile section in Windows Log Source Parameters.
If you want to set up multiple JSA destinations in case one fails, see Adding Multiple Destinations to WinCollect Agents.

Setting Up a Stand-alone WinCollect Deployment

For a stand-alone deployment, follow these steps:

Install the WinCollect software on the Windows host or hosts that send Windows events to JSA. For more information, see Installing the WinCollect Agent on a Windows Host.
Install the WinCollect configuration console and, or the WinCollect software update. For more information, see Installing the Configuration Console or Silently Installing, Upgrading, and Uninstalling WinCollect Software.
Configure the destination, or the JSA appliance where the Windows hosts send Windows events. For more information, see Creating an Authentication Token for WinCollect Agents.
If you collect events from remote hosts, create credentials so that WinCollect can log in to the remote hosts. See Creating a WinCollect Credential.
Set up the devices that send Windows events to WinCollect. For more information, see Adding a Device to the WinCollect Configuration Console.