Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a remote source

You can configure sources to remotely collect Windows events in the WinCollect 10 Console.

Ensure that the user account that you are using has permissions to connect to the remote devices that are configured in Step 10.
  1. From the WinCollect 10 Console, click the menu icon, and select Source Wizard.
  2. Select Remote for the Select Source Group Type.
  3. For Select Source Group, click Create New.
    Tip:

    You can also add the new device to an existing group.
  4. Type Domain Workstations as the name of the group, and add a description.
  5. On the Select Source Type window, leave the default settings to Windows Event Subscription.
  6. In the Configure Source Parameters section, select the channels that you want to collect events from.
    Tip:

    You can also create an XPath Query that contains a custom set of channels and event IDs that you want to create.
  7. Select the Application, System, and Security event channels, then click Credentials.
  8. Click Create New.
    Tip:

    If you previously added a credential, select it in the Select Credentials window. By default, after you install a new agent, no credentials are configured.

  9. In the Credentials window, enter the credential details and click Step 6: Device.
  10. In the Create Device window, enter the following details for device that you want to collect events from:
    Option Description
    Device Address Specify the FQDN or the IP address of the remote device.
    Name If you don't specify a name, the FQDN or IP address from the Device Address is used as the name.
    Description (Optional) Type a description to identify the device.
    Credentials (Optional) Specify the credentials that you created in the previous step.
  11. In the Configure Destination window, specify where you want these events to go.
    Tip:

    If you installed the agent using the Quick Installation, you might already have a Destination created called JSA. If you want your new remote source to go to the same location, you can select this destination.
    1. To add another JSA appliance, select Create New.
    2. Type QRadarEP as the Name.
    3. Add a Description.
    4. Specify the hostname or the IP address of the JSA appliance as the Device Address.
      Tip:

      If you are using the hostname of the EP, ensure that your agent can resolve the hostname. The default port number is 514. The default Maximum events per second is 20,000.

  12. Click Finish.
    The WinCollect 10 dashboard displays a notification that you have pending changes.
  13. Deploy the changes.

Related Documentation