WinCollect 7.2.8 – Stand-Alone cmd line with Xpath option

WinCollect 7.2.8 allows you to add Xpath to your cmd line installer for “Stand-Alone” installs only.

The first thing you need to do is convert your Xpath to base64 encoding

Take this example which Xpath needed to collect Windows Powershell logs.

<QueryList>
     <Query Id="0" Path="Windows PowerShell">
        <Select Path="Windows PowerShell">*</Select>
     </Query>
</QueryList>

Converting this to base64 (you can go to https://www.base64encode.org/ to encode/decode the Xpath) results in

PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoPSJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2VsZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+KjwvU2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5TGlzdD4=

Now that we have the base64 we can add this to our cmd line to install WinCollect

c:\wincollect-7.2.8-91.exe /s /v"/qn STATUSSERVER=172.X.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.X.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=2500&Component1.CustomQuery.Base64=PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoPSJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2VsZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+KjwvU2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5TGlzdD4=&Component1.EventRateTuningProfile=High+Event+Rate+Server"""

Replace the following entries with valid IP addresses
STATUSSERVER=172.X.X.X and
Component1.Dest.Hostname=172.X.X.X

STATUSSERVER is the location where the WinCollect Agent will send it’s status messages (i.e. WinCollect service starting or any Agent error messages)
Component1.Dest.Hostname is the location where the Agent will send the event logs (i.e. QRadar EC or Console)

Add/Subtract any of the Components or event logs you want to collect and your should be good to go.