Installation and Configuration for Data Collection

This section describes the steps to:

  • Pre-Install the WinCollect Agent on Windows

  • Pre-Install Syslog on *Nix

  • Install the WinCollect Agent on Windows

  • Configure Syslog on Linux

Pre-Installation of the WinCollect Agent on Windows

Before you install QRadar on Windows, follow these steps:

  1. From the IBM site, download the version of the WinCollect agent for your system type (32-bit or 64-bit).

  2. Download the Delinea Add-on for QRadar.

  3. Verify the availability of the Delinea DSM for QRadar using this command:

    rpm –qa | grep –i Centrify

  4. Configure the Authorization Token, which authenticates communication between Windows machines and the QRadar Console:

    1. Log in to the QRadar Console using Admin credentials.

    2. Click the Admin tab.

    3. alt
      In the User Management section, click Authorized Services.

    4. Enter the name for the token.

    5. Choose Admin as UserRole and Security Profile.

    6. Set the Expiry Date by selecting the No Expiry checkbox.

    7. alt
      Click Create Service.

alt
On completion, QRadar creates a token that can be accessed from the QRadar Console.

Pre-Installation of Syslog on *Nix

To prepare for the QRadar installation on a *Nix machine:

  1. Ensure that syslog daemon (syslog/rsyslog/syslog-ng) is installed by using the appropriate command (either one below) to verify it:

    service status rsyslogorservice status syslog-ng

  2. If the syslog daemon is not installed, use the appropriate command (either one below) to install the required syslog daemon:

Copy 
    yum install rsyslogor

    yum install syslog-ng

  1. Download the Delinea Add-on for QRadar.

  2. Check the availability of the Delinea DSM for QRadar:

    rpm –qa | grep –i Centrify

Installing the WinCollect Agent on Windows

To install the WinCollect Agent on Windows:

  1. Right-click the binary and run as administrator.

  2. alt
    Enter the User Name (such as Admin) and Organization and click Next.

  3. alt
    For the Setup type, choose Managed and click Next.

  4. Add the following Configuration Console Connection parameters:

    • Host Identifier – Hostname in QRadar

    • Authentication Token – Generated using the authorized services in QRadar

    • Configuration Console (host and port):

    • Console IP is the location where QRadar is installed

    • alt
      QRadar communicates with WinCollect agents on ports 8413 and 514 by default, so make sure that these ports are open in the firewall

  5. Click Next.

  6. Add the following Log Source Auto-creation Parameters:

    • Click the checkbox, Create Log Source

    • Log Source Name – Is provided and appears as a machine name on QRadar

    • Log Source Identifier – IP address of the Windows machine member

    • Target Destination – IP address of the QRadar instance

    • Event Logs – Check Application as Delinea events are audited in the application logs

    alt

  7. Click Next in the next two screens:

    1. Heartbeat parameters

    2. Installation Parameters summary

  8. Click Finish to complete the installation of WinCollect.

  9. Navigate to the QRadar Console to deploy the changes.

  10. Click Deploy Changes to add the new log source on QRadar.

Configuring Syslog on Linux

To configure the Syslog Forwarder to forward events to the QRadar Console:

  1. Update the rsyslog.conf file and add the following line:

    *.* @@Qradar_Console_IP:514

    This file is available in the /etc folder for RedHat Linux.
    Refer to the OS-specific documentation to find the file location.

  2. If you are using syslog-ng, add following entry:

    Copy 
    #My Switches
    source s_centrify {file(“/var/log/messages “);};destination d_tcp { network(“QRadarHost” port(1999)) ; };log {source(s_centrify) ; destination(d_centrify) ; } ;

  3. Restart the syslog daemon using one of the following commands:

    service rsyslog restart or
    service syslog-ng restart