The WinCollect 10 statistics file
Every agent has a statistics file that you can use to see the events that the agent
processed over an amount of time. The statistics file is stored in the
/logs
directory where the agent is installed.
From 20210915.130000 to 20210915.140000 Destination//QRadar: 3.5/162,6,4,3,6,31,4,3,3,3,26,3,3,3,6,30,3,4,3,3,32,3,4,4,7,2.4/116,3,3,3,3,25,4,3,3,6,31,4,3,3,3,23,3,3,3,10,48,9,10,4,12,31,12,3,3,6,19,12,3,3,4 Source//Local//Application: 0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Source//Local//DNS Debug: 162,,,,,6,,,,,2,,,,,4,,,,,6,,,,,116,,,,,2,,,,,8,,,,,2,,,,,28,,,,,12,,,,,4,,,, Source//Local//Security: 27,5,4,3,6,24,3,3,3,3,24,3,3,3,6,26,3,4,3,3,26,3,4,3,6,21,3,3,3,3,23,4,3,3,6,23,4,3,3,3,21,3,3,3,10,20,9,6,4,12,15,12,3,3,6,15,12,3,3,4 Source//Local//XPath Sysmon Powershell: 3,1,,,,1,,,,,,,,,,,,,,,,,,,1,2,,,,,,,,,,,,,,,,,,,,,,2,,,4,,,,,,,,, StatusServer//10.10.218.221: 0,,,,1,,,,,1,,,,,1,,,,,1,,,1,,1,,,1,,1,,,,1,1,,,,,1,,,,1,1,1,,,,1,,,,,1,,,,,1 UserData//EvtsOnDisk: 0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Value | Description |
---|---|
From 20210915.130000 to 20210915.140000 |
The statistics file is updated every minute and creates a new section every hour. In this example, the data is from Sept 15, 2021, from 1 PM to 2 PM. |
Destination//QRadar: 3.5/162,6,4,3,6,31,4,3,3,
3,26,3,3,3,6,30,3,4,3,3,32,3,4,4,7,2.4/116,3, 3,3,3,25,4,3,3,6,31,4,3,3,3,23,3,3,3,10,48,9,
10,4,12,31,12,3,3,6,19,12,3,3,4 |
This line contains an entry for each destination you are sending logs to. In this example, you have one destination that is named JSA. Events per Minute (EPM) are logged each minute. Therefore, this comma-separated line contains 60 entries. The most current entries are the values on the far right. Numbers in the X/Y format represent the average and highest EPS seen for that minute.
|
Source//Local//Application: 0,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, |
This is a source that is named Application, in the Local group. This is the source that is collecting events from the local Application event channel. |
Source//Local//DNS Debug: 162,,,,,6,,,,,2,,,,,
4,,,,,6,,,,,116,,,,,2,,,,,8,,,,,2,,,,,28,,,,, 12,,,,,4,,,, |
This is a source that is named DNS Debug in the Local group. This source is collecting DNS Debug logs on the local machine. |
Source//Local//Security: 27,5,4,3,6,24,3,3,3,
3,24,3,3,3,6,26,3,4,3,3,26,3,4,3,6,21,3,3,3,3, 23,4,3,3,6,23,4,3,3,3,21,3,3,3,10,20,9,6,4,12,
15,12,3,3,6,15,12,3,3,4 |
This is a source that is named Security, in the Local Group. This is the source that is collecting events from the local Security event channel. As expected, this is the busiest source. The security channel typically generates the most traffic in the standard event logs. |
Source//Local//XPath Sysmon Powershell: 3,1,,,,1,,,,,,,,,,,,,,,,,,,1,2,,,,,,,,,,,,,,,
,,,,,,,2,,,4,,,,,,,,, |
This is a source that is named XPath Sysmon Powershell, in the Local group. This is the source that is collecting events from the Sysmon and PowerShell applications and services event logs. |
StatusServer//10.10.218.221: 0,,,,1,,,,,1,,,,,
1,,,,,1,,,1,,1,,,1,,1,,,,1,1,,,,,1,,,,1,1,1,,, ,1,,,,,1,,,,,1 |
This is where the status messages are sent, and includes heartbeat messages and any service stop or start and Agent error messages. Typically, these have a very low EPS count (one message every 5 minutes). |
UserData//EvtsOnDisk: 0,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, |
This shows whether events are being stored on the disk. For example, the agent can't communicate to JSA and thus stores the events to disk until it can open the communication. |