ibm / wincollect Goto Github PK

License: Apache License 2.0

PowerShell 100.00%

wincollect's Introduction

This repository contains samples of scripts and tools that administrators can use to assist with Windows event collection. All Powershell samples and scripts are for reference or educational use. These samples are provided on an "as is" basis and are without warranties of any kind.

We encourage administrators to examine these scripts before running them or test these tools in a lab environment before making use of them in the production network.

Any issues discovered using the samples should not be directed to QRadar support, but be reported on the Github issue tracker.

WinCollect 10

Agent Install Templates

These installation templates can be used as part of the WinCollect 10 command line install to configure any of the sources during installation. This will allow you to configure say Windows Event logs as well as IIS as part of the Agent installation.

Install Powershell Scripts

Agent Installation and Update Powershell scripts

WinCollect 7

WinCollect Agent Reinstall

The ReInstallWinCollect.ps1 PowerShell utility is intended to assist administrators with upgrades to Wincollect V7.3.0 on Windows hosts. The attached utility automates the install process to copy existing installation values and reinstall agents using the WinCollect V7.3.0 EXE for administrators who have large deployments of WinCollect agents.

Get Event Log Reports

This Powershell script allows administrators to create EPS reports for local or remote Windows systems by polling the data from the Windows Event Viewer. The script advises the administrator on the best method of event collection, based on the returned EPS rate.

wincollect's People

Contributors

Stargazers

Watchers

wincollect's Issues

Error on eventlog

Greetings,

I am attempting to run your script on to generate the said result.

OS: Windows 2012 R2
PS Version : 4

Error:
Microsoft Windows Server 2012 R2 Standard

Unable to scan localhost event logs

There is not an event log on the localhost computer that matches "WEC-Domain-Controllers-NTLM"

Caught on line number: 43

This event file does exist. We added 4 channels to the event as this is a WEC server. Does this script go through all event files found or just the main/top 3? I am running as admin and admins have full access to that event file.

Thank you.

Agent Install Templates/Microsoft_Windows_Event_Log/update_StandardEventLogs_Sysmon.xml Syntax error

update_StandardEventLogs_Sysmon.xml Has a syntax error causing it to fail to be used during install

Line 20

This line opens the Source Channel for security but never closes it. Without this close it the agent ignores the whole file. We tested and changing this line to read as follows works and allows agent to install and pass data properly.

	<Source Channel="Security" Enabled="true" />

Timing issue for Rolling logs

For really busy servers OldestEventTime & NewestEventTime call to WMI may be executed between log-roll.
If so the Event rate based on time cannot be trusted.

Unable to run report tool

When running the script I am getting the following messages after I provide Domain Credentials in the script.

PS C:\Windows\system32>>> C:\Utilities\EventLogReport\GetEventLogReport.ps1

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run C:\Utilities\EventLogReport\GetEventLogReport.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
Starting Script

Select Computer List...

Selected: Domain ( Computer(s) Found)

Unable to Create Log Report

A parameter cannot be found that matches parameter name 'Message'.

Caught on line number: 294

The first and last event time estimate may not be accurate for Forwarded Events

This issue is for an edge case that only applies to windows event collection servers recieveing forwarded events. Due to how windows forwarding batches events with lag, e.g. the "Minimize Bandwidth" delivery can take up to 6 hours to deliver events, the very first or last event queried in a forwarded event log is not a reliable measure of the latest or oldest events overall.

https://github.com/ibm-security-intelligence/wincollect/blob/b9dddc7958e91a9a3674f2d3610f4c07e123daec/EventLogReport/GetEventLogReport.ps1#L49

A better approach is to sample the oldest and newest events. I.e. look for the oldest and newest timestamp in a sample of the first 10000 and last 10000 events to avoid latent batches with old events arriving at the Max Delivery Time. While not perfect, it's a better approximation.

Prevent Wincollect 10 Console installation

Is there a way to prevent the console part to install? I tried to find the config for this but could not :(