Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

WinCollect Destinations

WinCollect destinations define the parameters for how the WinCollect agent forwards events to the Event Collector or JSA Console.

Adding a Destination

To assign where WinCollect agents in your deployment forward their events, you can create destinations for your WinCollect deployment.

  1. Click the Admin tab.

  2. On the navigation menu, click Data Sources.

  3. Click the WinCollect icon.

  4. Click Destinations and then click Add.

  5. Configure the parameters.

    The following table describes some of the parameters

    Table 1: Destination Parameters

    Parameter

    Description

    Name

    Used on the agent side for log source creation.

    Note:

    The destination name is used during automatic log source creation and must exist before the installation runs. Verify the destination name in JSA before starting the installation.

    Hostname

    The host name or IP address of the destination JSA appliance.

    Port

    JSA receives events from WinCollect agents on either UDP or TCP port 514.

    For TLS protocol, the default port is 6514.

    Protocol

    The communication channel between JSA and WinCollect agents. Select UDP, or TCP, or TCP/TLS (Encrypted).

    Certificate

    The TLS certificate of the destination device.

    Copy the certificate from /opt/qradar/conf/trusted_certificates/syslog-tls.cert on the destination device and paste in the Certificate field.

    Note:

    The Certificate field displays when TCP/TLS (Encrypted) is selected from the Protocol list.

    Throttle (events per second)

    Defines a limit to the number of events that the WinCollect agent can send each second.

    Schedule Mode

    If you select the Forward Events option, the WinCollect agent forwards events within a user-defined schedule. When the events are not being forwarded, they are stored until the schedule runs again.

    If you select the Store Events option, the WinCollect agent stores events to disk only within a user-defined schedule and then forwards events to the destination as specified.

  6. Click Save.

Adding a Secondary Destination

You can add a secondary destination to receive events from your WinCollect agents if the primary destination fails.

Note:

Adding a secondary destination is available in JSA 7.4.3 and later.

Use the following procedure to add a JSA host as a secondary destination to an existing primary destination. For more information about adding a secondary destination during the installation process, see Adding a Destination.

Note:

To specify a secondary destination, you must select TCP.

  1. Click the Admin tab.

  2. On the navigation menu, click Data Sources.

  3. Click WinCollect > Destinations.

  4. 4. Select a destination and click Edit.

  5. Select the TCP Protocol.

  6. Enter the hostname or IP address of the JSA appliance you want to use as a Secondary Destination.

  7. In the Secondary Failover (seconds) field, enter the number of seconds that the primary destination must be unreachable before the agent begins sending events to the secondary destination.

  8. Click Save.

Deleting a Destination from WinCollect

If you delete a destination, the event forwarding parameters are removed from the WinCollect agent.

Destinations are a global parameter. If you delete a destination when log sources are assigned to the destination, the WinCollect agent cannot forward events. Event collection is stopped for a log source when an existing destination is deleted. Events on disk that were not processed are discarded when the destination is deleted.

  1. Click the Admin tab.

  2. On the navigation menu, click Data Sources.

  3. Click the WinCollect icon.

  4. Click Destinations.

  5. Select the destination that you want to delete and click Delete.

Scheduling Event Forwarding and Event Storage for WinCollect Agent

Use a schedule to manage when WinCollect agents forward or store events to disk in your deployment.

Schedules are not required. If a schedule does not exist, the WinCollect agent automatically forwards events and stores them only when network limitations cause delays.

You can create schedules for your WinCollect deployment to assign when the WinCollect agents in your deployment forward their events. Events that are unable to be sent during the schedule are automatically queued for the next available interval.

  1. Click the Admin tab.

  2. On the navigation menu, click Data Sources.

  3. Click the WinCollect icon.

  4. Click Schedules.

  5. Click Add and then click Next.

  6. Configure the parameters, and select a check box for each day of the week that you want included in the schedule.

  7. Click Next.

  8. To add a destination to the schedule, from the Available Destinations list, select a destination and click the selection symbol, >.

  9. Click Next and then click Finish.

Related Documentation