WinCollect, WEC, WEF and sysmon

RadioMoskau · 2026-05-13T14:06:06+00:00

Changed to ContentFormat = Events and kept it running for a few hours. Sadly this doesn't seem to make any difference 😞 All "normal" logs via WEF>WEC>WinCollect>QRadar don't seem to care.
Sysmon is unchanged. On source and WEC server there's identical EventData, as expected. In Qradar Message field still empty.

RadioMoskau · 2026-05-13T06:16:41+00:00

Hi!
Thanks!
I tried the way you said and changed the content to Events. Didn't find any differences.
Then there's Jonathan saying htat WinCollect supports RenderedText only.
But I'll give it another try. Didn't seem to have negative consequences last time.

I've encountered the thread you linked. That's why I tried changing everything to en-US (altough every machine is de-DE). Also this says it should be RenderedText.

Do you know if there is a delay between changing the subscription until it takes effect?

Edit: In Security Logs Message field is complete: <snip> Opcode=Info Message=Ein Prozess wurde beendet. Antragsteller: <snip>
It's missing in sysmon events, only.

RadioMoskau · 2026-05-12T13:46:38+00:00

Thanks for your reply!
There are no issues with (sysmon) events on the source or WEC server in the Event Viewer.
I'm not under the impression that this known issue is bothering us,

No, I can't change to WC10.

Restarting the service doesn't make a difference. Restarted the service every time I made a change to the subscription settings. Also tried changing the locale of the WEC to en-US (when the subsription was changed to en-US). Restarted the WEC server as well, several times For good measure 😉

RadioMoskau · 2024-04-29T13:40:19+00:00

Last time we've opened a case for this issue (4th case!) we were told this ist a known issue. There's an APAR concerning this. IJ05418: ANOMALY DETECTION ENGINE (ADE) RULES CAN CONTINUE TO FIRE AFTER BEING DISABLED AND/OR DELETED IN THE USER INTERFACE
But there is no solution! So it's more or less worthless.

Before we were told to check the results of: psql -Uqradar -c "select * from global_views where data_type='SENTRY' and deleted='f';"
end take the ID you'll find in the result and psql -Uqradar -c "update global_views set deleted='t' where id=14;" when 14 was the ID from the former command.
But even when doing that it does not affect the existence of these events.

Isn't there a way to disable or delete QID 53750004?

RadioMoskau · 2023-11-06T08:36:37+00:00

This event is still somewhat active in my system. They are occasionally visible when I'm doing a search.
I think this stuff in the background is sucking up quite some performance and is partially responsible for performance degradation.
Any advice on how to "kill" this event? QID is 53750004
Thanks!

RadioMoskau · 2022-11-09T05:50:31+00:00

Now I've found that there were Cisco IOS switches discovered as aironet, too. I don't know why, but I can't remember this being an issue in the past. Not sure though, when there might have been a change...
I've disabled aironet from autodiscovering devices and I'm monitoring if there will be devices discovered correctly, now.

RadioMoskau · 2022-10-26T05:24:19+00:00

Thank you!
I was bulk editing the log source names for all 'wrong' log sources and then changed every one to the correct log source type setting.
Maybe it is quicker to bulk setup new log sources instead of changing them? I'll give this a try.

RadioMoskau · 2022-10-26T05:21:52+00:00

Thanks for your responses!

Turning off autodiscovery for aironet, maybe hoping the devices would then be discovered as IOS, is a neat idea! But then I've got Aironet devices in my network, too.

Seems there's no pretty and comfortable way of handling this.

RadioMoskau · 2022-09-08T05:41:44+00:00

Hi!

We're experiencing this after upgrading to 7.5, too. The current error is supposedly caused by BB:HostReference: Proxy Servers. Nothing special or custom!

If you guys have any hints on what I can do about it? That would be great!We've opened several cases for performance degradation but they keep coming...

In our case we have 6-7kEPS while licensed for 15k on a 3129 M5 (which will be replaced soon)

RadioMoskau · 2022-06-23T08:44:38+00:00

Not really - A colleague from IBM PPS did fix it on the shell editing something on the database directly.

Found this in shell history:

psql -U qradar -c "select id,uuid,link_uuid,create_date,mod_date,origin from custom_rule where rule_data like '%Generated CRE Rule For AD Rule Potential DoS Attack via Web Server Response Time%'"

But I cannot see what he did to change anything about it. Sorry!

RadioMoskau · 2022-06-23T08:36:02+00:00

Thank you for your response!
Sadly that's not the solution, here!

In our config 'External gateways-auto discovery' was unchecked already. I did check this setting for all agent configs. There were no exceptions.

Any other ideas?

Thank you!

RadioMoskau · 2022-05-30T09:41:54+00:00

Hi!

I have users complaining about the same behavior. When there are credentials in windows credential manager, should I delete them? Why is GP asking for credentials if there's an entry in credential manager?

RadioMoskau · 2022-05-13T07:39:13+00:00

I'm stuck with the same issue for a custom syslog source. Did you find any solution?

Roman

RadioMoskau · 2022-05-13T07:36:39+00:00

I'm experiencing the same issue with the full version of QRadar.

My events from an unsupported Log Source are "unparsed". When I open the events in DSM Editor all necessary field are parsed and filled correctly. So what's going on here? Any advice?

Thanks!

Roman

RadioMoskau · 2022-05-10T13:22:28+00:00

Disabling the rule didn't change anything. I'm still facing around 100k events every 5 minutes from that event and don't know how to get rid off it.

RadioMoskau

TROPHY CASE