SIEM & DETECTION · 7 MIN

Windows Event Collection for QRadar: From WinCollect 7 to Today

Windows event collection has changed substantially since WinCollect 7. Here's the practical guide to current architecture, sizing, and the alternatives worth considering.

QMasters SOC Team· SIEM Engineering· 2026-03-10
TL;DR

What's the best way to collect Windows events for IBM QRadar in 2026?

Three options dominate: WinCollect (IBM's official agent), Windows Event Collection/Forwarding (WEC/WEF, Microsoft-native), or a streaming layer like Cribl Stream that filters before forwarding to QRadar. WinCollect is the most reliable for IBM-supported environments. WEC/WEF is the lowest cost but requires more tuning. A streaming layer cuts EPS by 40–60% but adds infrastructure. The right choice depends on EPS budget, regulatory needs, and SOC tuning capacity.

Architecture diagram showing Windows event collection paths from endpoints to QRadar
Architecture diagram showing Windows event collection paths from endpoints to QRadar

Windows Event Collection for QRadar: From WinCollect 7 to Today

Windows event collection is the workhorse of any QRadar deployment. Most security signal — authentication, process creation, PowerShell activity, scheduled tasks, service installation — originates here. Get the collection layer wrong and the rest of your SIEM architecture is fighting gravity.

When IBM introduced WinCollect 10 it was a meaningful jump from the WinCollect 7 era: 70–100% better CPU usage, 53–67% better memory, raised local-collection EPS from 5,000 to 10,000, and shifted from a "log source" model to a "per-source" model where each collection channel can be polled independently. Subsequent releases have refined the agent further. The core architectural question — agent vs. native vs. streaming layer — is the same one every QRadar customer faces.

This is the practical guide we walk customers through during onboarding.

The three architectural options

Option 1 — WinCollect agent (IBM's official path)

How it works: Lightweight agent installed on each Windows host (or a centralized polling server for low-EPS environments), forwards events directly to QRadar Event Processors.

Strengths:

  • Native QRadar integration, full DSM support, no parsing surprises
  • Agent management UI works in any modern browser, no .NET 3.5 dependency
  • Templates support partial updates, not just full configuration replacements
  • Per-source polling intervals — high-priority Security log polled every 10 seconds, low-priority Application log every 5 minutes

Weaknesses:

  • Per-endpoint agent footprint and maintenance overhead
  • Higher EPS bills if you don't filter at the agent

Best for: IBM-supported environments where vendor support and detection coverage are non-negotiable. Most regulated industries.

Option 2 — Windows Event Collection / Forwarding (WEC/WEF)

How it works: Microsoft-native event subscription model. Collector servers subscribe to event channels on source hosts via WS-Management. Collected events forward to QRadar via a syslog or NXLog bridge.

Strengths:

  • Zero per-endpoint license cost (Microsoft-native)
  • No agent footprint on endpoints
  • Group Policy-driven configuration scales cleanly to tens of thousands of hosts
  • Excellent for environments already using WEC for compliance logging

Weaknesses:

  • Requires more tuning expertise to filter before forward
  • DSM mapping requires care — events arrive in a format that may need custom parsers
  • Troubleshooting subscriptions at scale is its own skill

Best for: Cost-sensitive Microsoft-heavy environments with strong internal Windows expertise.

Option 3 — Streaming layer (Cribl Stream, Tenzir, or equivalent)

How it works: WinCollect or WEC/WEF feeds a streaming pipeline that drops, transforms, and routes events before delivery to QRadar.

Strengths:

  • Cuts QRadar EPS by 40–60% in typical environments
  • Routes high-value events to QRadar, copies to a data lake for cheaper retention
  • Field-level transformations let you enrich, redact, or restructure before SIEM ingestion

Weaknesses:

  • Adds infrastructure to operate and license
  • Requires deliberate filtering decisions — drop the wrong events and you blind your SOC

Best for: Mature SOCs with EPS pressure, multi-SIEM architectures, or hot/warm/cold data tiering ambitions.

The QMasters take: the right answer for most mid-market customers is WinCollect with aggressive event-type filtering at the agent. It hits 80% of the value of a streaming layer at 20% of the operational complexity. The streaming layer becomes worth it when you're past 50,000 EPS or running multiple SIEMs.

The tuning conversation

The conversation almost no QRadar customer has at the right time: which Windows Event IDs are actually worth collecting?

Most environments collect everything because the original deployment said "collect Security, System, Application." That generates 40–60% pure noise — Event IDs that drive zero security value but burn EPS budget.

Examples of commonly over-collected, low-value events:

  • Event 4634 (an account was logged off) — almost never the alerting signal; the corresponding 4624 logon event is enough
  • Event 5156 (Filtering Platform connection allowed) — extremely high-volume, low-signal
  • Event 4670 (permissions on an object were changed) — useful in narrow contexts, noise everywhere else
  • Event 4799 (a security-enabled local group membership was enumerated) — high volume, rarely actionable

We publish a current tuning checklist as part of the QRadar SIEM audit we run for customers — typical first-pass result is a 30% EPS reduction without losing any meaningful detection coverage.

What this means for QRadar Suite (cloud-native)

The IBM QRadar Suite (the cloud-native generation IBM has been positioning as the successor to on-prem QRadar) doesn't change the fundamental Windows collection question — agents still collect, native forwarding still forwards. What it does change is the EPS economics: cloud ingestion rates, hot-storage tiers, and licensing models all push harder toward filtering at the collection layer.

Customers migrating from on-prem QRadar to QRadar Suite who don't tighten their Windows collection first end up with a more expensive cloud bill than the on-prem environment they left.

Soft CTA

If your QRadar deployment is collecting more Windows events than your detections actually use, request a SIEM tuning assessment. Our standard finding is a 30% EPS reduction with zero detection loss.

FAQ

Q: What's the difference between WinCollect 7 and modern WinCollect?

A: 70–100% better CPU usage, 53–67% better memory, raised local-collection EPS from 5,000 to 10,000, simplified installation, and a per-source collection model with independent polling intervals.

Q: Should I use WinCollect or WEC/WEF?

A: WinCollect for vendor-supported environments where support matters. WEC/WEF for cost-sensitive Microsoft-heavy environments with strong internal expertise. They can coexist.

Q: How do I reduce the EPS I send to QRadar?

A: Drop low-value Event IDs at the collection layer. Most environments can suppress 30–50% of native Windows event volume without losing security signal.

Q: Does this still apply to QRadar Suite (cloud-native)?

A: Yes — the architectural choices are the same, but the EPS economics push harder toward filtering at the collection layer because cloud ingestion is metered.

Talk to QMasters

QMasters is an IBM Gold Business Partner with SIEM tuning expertise across both on-prem QRadar and QRadar Suite. If your collection architecture hasn't been audited in 18+ months, that's the right moment to book a SIEM health check.

For more context, start at QMasters, review our managed detection and response, or check out email security.

---

Author · QMasters SOC Team

Last updated · 2026-03-10

Reading time · 7 min

FAQ

Frequently asked questions.

  • Modern WinCollect introduced 70–100% improvement in CPU usage, 53–67% better memory efficiency, raised the local-collection EPS limit from 5,000 to 10,000, simplified installation to a single hostname/IP parameter, and shifted to a per-source collection model that supports independent polling intervals.

ABOUT THE AUTHOR

QMasters SOC Team
SIEM Engineering

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

READY TO TUNE YOUR SIEM?

Tighter detections, fewer false positives.

Book a working session with a senior detection engineer. Bring a sample of your noisiest alerts and we will rebuild the rule with you.

Explore Managed Detection & Response

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.