The Status Server is responsible for forwarding messages related to Agent status to QRadar. These LEEF messages can be easily viewed from the QRadar user interface from the WinCollect agent list using the Show Events button. These events are written in the C:\Program Files\IBM\WinCollect\logs\WinCollect_Device.log on the WinCollect agent and are also sent to the QRadar appliance as a LEEF syslog message.
If you are troubleshooting why your Log Source - WinCollect is not sending any logs, the Agent status/event could help you to check the error code.
In this example, one of my log source stopped sending log event using WinCollect
Procedure
- Log in to QRadar as an admin user.
- Click the Admin tab.
- Click the WinCollect icon.
- Select a WinCollect agent from the agent list.
- Click the Show Events icon
No comments:
Post a Comment