If you ever run into an issue where you go to the Qradar WinCollect tab and there is an agent successfully communicating, sending heartbeats and information messages, but you discover there was no Log Source setup thus you're not actually receiving the operating system logs from the agent, then you may be wondering how to discover this?
I wrote a simple psql query that should tell you the devices that have a record on the WinCollect tab, but no corresponding record on the Log Source tab.
select a.id, a.enabled, a.deleted, a.name, b.id, b.devicename from ale_client a left outer join ale_sensor_device_mapping c on a.id = c.ale_client_id left outer join sensordevice b on c.sensor_device_id = b.id where b.id is null and a.enabled = true and a.deleted=false;
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment