Installation and Configuration for Data Collection

This section describes the steps to:

  • Pre-Install the WinCollect Agent on Windows

  • Pre-Install Syslog on *Nix

  • Install the WinCollect Agent on Windows

  • Configure Syslog on Linux

Pre-Installation of the WinCollect Agent on Windows

Before you install QRadar on Windows, follow these steps:

  1. From the IBM site, download the version of the WinCollect agent for your system type (32-bit or 64-bit).

  2. Download the Centrify Add-on for QRadar.

  3. Verify the availability of the Centrify DSM for QRadar using this command:

    rpm –qa | grep –i Centrify

  1. Configure the Authorization Token, which authenticates communication between Windows machines and the QRadar Console:

    1. Log in to the QRadar Console using Admin credentials.

    2. Click the Admin tab.


    3. In the User Management section, click Authorized Services.

    4. Enter the name for the token.

    5. Choose Admin as User Role and Security Profile.

    6. Set the Expiry Date by selecting the No Expiry checkbox.


    7. Click Create Service.


On completion, QRadar creates a token that can be accessed from the QRadar Console.

Pre-Installation of Syslog on *Nix

To prepare for the QRadar installation on a *Nix machine:

  1. Ensure that syslog daemon (syslog/rsyslog/syslog-ng) is installed by using the appropriate command (either one below) to verify it:

    service status rsyslog
    or
    service status syslog-ng

  1. If the syslog daemon is not installed, use the appropriate command (either one below) to install the required syslog daemon:

    yum install rsyslog
    or

    yum install syslog-ng

  1. Download the Centrify Add-on for QRadar.

  2. Check the availability of the Centrify DSM for QRadar:

    rpm –qa | grep –i Centrify

Installing the WinCollect Agent on Windows

To install the WinCollect Agent on Windows:

  1. Right-click the binary and run as administrator.

  2. https://lh3.googleusercontent.com/Rp9p5q16LGXTmhYRGtJ2bPGQk3abB9jxf75iNI61JyY0shpY2Q3pubMBYFO8y3qpf2T5C-JbnVtPqJjktx4OVmnAuNcfoNvPi772tr0i2e7nyRaSwFztuHT7d0KewskHXYZUk4Lk
    Enter the User Name (such as Admin) and Organization and click Next.

 

  1. https://lh6.googleusercontent.com/M2qFniV5NdqfKEvaQlqM3VYGNOFWpgNS8rC3YPuZxhFeVB87-HAb5m2YNtTm-NWWwgwfIqIXyfEbnMdIwJ1_KitCZk5DWa6i96VOy-hkw3Ytj0nOy0K2trPqngSa74vyXN3-WJlt
    For the Setup type, choose Managed and click Next.

  1. Add the following Configuration Console Connection parameters:

  • Host Identifier – Hostname in QRadar

  • Authentication Token – Generated using the authorized services in QRadar

  • Configuration Console (host and port):

    • Console IP is the location where QRadar is installed

    • https://lh6.googleusercontent.com/J6vJOI98JaxeeqNSEAlk6h6vAqGXx--aWzr1swHBt7q4ZLGMFP8xrIq-CNVeE19_eoaa9fCA8e0QylxJhy8NQFamiWiRw7GVofoN1dvye2Ue47LfLivjnV_RYQN6YeaOp1Hfsi8P
      QRadar communicates with WinCollect agents on ports 8413 and 514 by default, so make sure that these ports are open in the firewall

  1. Click Next.

  2. Add the following Log Source Auto-creation Parameters:

  • Click the checkbox, Create Log Source

  • Log Source Name – Is provided and appears as a machine name on QRadar

  • Log Source Identifier – IP address of the Windows machine member

  • Target Destination – IP address of the QRadar instance

  • Event Logs – Check Application as Centrify events are audited in the application logs

https://lh5.googleusercontent.com/BAvszg4_DxyZtwh_kE-pR21B1mxB5HM95Y2x_SYm7ZwFA6aBXY2ni8fBjPXtlPnZ5DMYLBXAhds0D695z3LDvpbrFP-wWAoUJQVWCZJrLS7utcjqjJZDZoJxNvZxhB4xCbNZLzl5

  1. Click Next in the next two screens:

    1. Heartbeat parameters

    2. Installation Parameters summary

  1. Click Finish to complete the installation of WinCollect.

  2. Navigate to the QRadar Console to deploy the changes.

  3. Click Deploy Changes to add the new log source on QRadar.

Configuring Syslog on Linux

To configure the Syslog Forwarder to forward events to the QRadar Console:

  1. Update the rsyslog.conf file and add the following line:

    *.* @@Qradar_Console_IP:514

    This file is available in the /etc folder for RedHat Linux.
    Refer to the OS-specific documentation to find the file location.

  1. If you are using syslog-ng, add following entry:

    #My Switches

    source s_centrify {

   file(

     “/var/log/messages “

);

};

destination d_tcp { network(“QRadarHost” port(1999)) ; };

log {source(s_centrify) ; destination(d_centrify) ; } ;

  1. Restart the syslog daemon using one of the following commands:

    service rsyslog restart
    or
    service syslog-ng restart