Do you ever feel like you’re playing the role of Goldilocks at work? You know the scenario – you’re trying to solve a problem and every solution feels too hot or too cold, too big or too small. You can’t get administrative privileges to implement it, it requires an agent and you can’t install one, the firewall blocks it, or it’s just too expensive.
Windows event collection for SIEM and log management fits right into this category. Windows is pervasive in IT environments, but collecting Windows events can pose challenges for any product that doesn’t run on Windows.
Fortunately, IBM Security has been addressing this for years, and with latest release of IBM Security QRadar, we are offering customers more flexibility than ever to use a wide range of collection API’s, agents, third party tools and QRadar capabilities – seamlessly integrated and centrally controlled.
Because QRadar is deployed by thousands of customers running diverse IT environments, we’re constantly innovating in Windows event collection, to provide choices that meet your needs. As part of QRadar 7.1, we are pleased to introduce WinCollect, an additional, versatile and scalable QRadar capability for Windows event collection. WinCollect joins existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches (Snare, Adiscon EventReporter, syslog-ng), and native Windows Server capabilities (WMI and Windows event forwarding). With this release, QRadar offers the broadest Windows event collection techniques of any security intelligence product. Most importantly, regardless of which ones you use, the event information looks the same and triggers rules in exactly the same way, for seamless integration and consistent operation.
With more options, QRadar can better meet the needs of different areas of your environment – even if you want to combine collection mechanisms, and even when your requirements change over time.
QRadar now offers the following approaches to meet a variety of customer needs:
- Adaptive Log Exporter (ALE), a no-charge element of the QRadar platform, provides an excellent means to collect Windows events at any level of volume, when an agent can be installed on the target system. An agentless implementation is also popular using ALE on one Windows instance to collect events from other servers.
- Third-party agents such as Snare, Adiscon EventReporter and syslog-ng provide similar capabilities, and are often used by QRadar customers when those agents have previously been installed.
- Windows Management Instrumentation (WMI) is a Microsoft-created, agentless approach to event collection using Windows’ built-in interface to query event logs. This is often used by customers who have relatively unimpeded access to WMI on their Windows servers. WMI-based event collection can be administered through the QRadar user interface.
- WinCollect provides a new, superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect offers two highly scalable approaches:
- Using the Windows Event Log API, it can pull events from target systems and then forward them to QRadar.
- Using Windows event forwarding, it will allow target systems to automatically push events to it and then forward them to QRadar.
WinCollect administration is fully integrated into the QRadar user interface, enabling centralized and granular control of Windows event collection across a large estate of Windows servers. Even better, it can be used in combination with any of the other event collection mechanisms – for “mix and match” flexibility.
We understand Windows servers comprise a key component of our clients’ infrastructures and we’re designing QRadar to be the most flexible solution in the marketplace. When it comes to enterprise technology, it’s rare for one size to fit all, the porridge to be just right, and the bed to be comfy too.