QRadar Eventlog integration options assessment
QRadar to WMI
Wincollect to WMI
Subscriptions
Agent-to-syslog
SW install needed
AD credentials
X
X
Double log jump
Intensive CPU usage
X
X
X
X
X
Management
connection to the
console needed
Doesn’t support WS
2003
X
X
Drawbacks Explained
SW Install Needed: It is needed to install the software on every host
AD Credentials: It is needed a domain account with permission to read the Security log.
Double log jump: The events do not go straight from the host to the SIEM, but the wincollect
machine is a jump point.
Intensive CPU Usage: The performance of the host could be affected because of the log send
Management connection to the console needed: A connection to the console is needed in
order to configure the host probe (8413).
No eventlog buffer in disconnection: If the connection to the collector would be lost, all the
events which would have rotated would be lost.
Wincollect VS Snare Free Edition


Wincollect can send tcp-syslog
Wincollect can be easily remotely managed through QRadar
Ignasi FTW - 2014