Installing and upgrading the WinCollect application on QRadar appliances

To manage a deployment of WinCollect agents from the QRadar® user interface, you must first upgrade your QRadar Console to a supported version of WinCollect by using the WinCollect Agent SFS Bundle. This bundle includes the required protocols to enable communication between QRadar and the managed WinCollect agents on the Windows hosts. Both the QRadar Console and managed WinCollect agents can be upgraded to newer versions of WinCollect by installing the newer version of SFS Bundle on the QRadar console.

About this task

Important:
  • For information about upgrading WinCollect versions v7.0 through v7.2.2, see www.ibm.com/support (http://www-01.ibm.com/support/docview.wss?uid=swg21698127).
  • If WinCollect v7.2.6 or newer is installed on the QRadar Console, and then you upgrade QRadar from v7.2.8 to v7.3.0 or newer, the version of WinCollect on QRadar reverts to v7.2.5. The managed WinCollect agents that are running on your Windows hosts remain at their current version and continue to send events to QRadar using their existing configuration information. However, they no longer receive code or configuration updates. You must reinstall a version of the WinCollect Agent SFS Bundle that is the same as or newer than your current agents' version on your QRadar Console after the QRadar upgrade.

After you upgrade a QRadar Console, the managed WinCollect agents that are enabled to receive automatic updates automatically upgrade to the new version of WinCollect at the next configuration polling interval. If new WinCollect agent files are available for download, the agent downloads, installs updates, and restarts required services. No events are lost when you update your WinCollect agent because events are buffered to disk. Event collection forwarding continues when the WinCollect service on the Windows host restarts.

Important: If you reinstall QRadar on your Console, you must delete this file on any existing WinCollect agent installations before WinCollect can function properly: Program Files/IBM/WinCollect/config/ConfigurationServer.PEM

Procedure

  1. Download the WinCollect Agent SFS Bundle installation file from the IBM® website: (http://www.ibm.com/support).
    Note: The installation process restarts services on the Console, which creates a gap in event collection until services restart. Schedule the WinCollect upgrade during a maintenance window to avoid disrupting users.
  2. Use SSH to log in to the QRadar Console as the root user.
  3. For initial installations, create the /storetmp and /media/updates directories if they do not exist. Type the following commands: 
    mkdir /media/updates
mkdir /storetmp
  4. Using a program such as WinSCP, copy the downloaded SFS file to /storetmp on your QRadar Console.
  5. To change to the /storetmp directory, type the following command: cd /storetmp
  6. To mount the SFS file, type the following command: mount -t squashfs -o loop <Installer_file_name.sfs> /media/updates
    Example: mount -t squashfs -o loop 730_QRadar_wincollectupdate-7.3.0-24.sfs /media/updates
  7. To run the WinCollect installer, type the following command and then follow the prompts: /media/updates/installer
    Note: To proceed with the WinCollect Agent update you must restart services on QRadar to apply protocol updates. The following message is displayed:
    WARNING: Services need to be shutdown in order to apply patches.
This will cause an interruption to data collection and correlation.
Do you wish to continue (Y/N)?
  8. Type Y to continue with the update.
    During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the installer again, the patch installation resumes. After the installation is complete, services are restarted, and the user interface is available.
    Note: During installation, the following message is displayed: 
    Patch 144249
This patch includes a new version of the WinCollect Configuration Server.
For this new version to run properly, the event collection service needs to be restarted.
If you choose to not restart the service, agents cannot get new configurations and code updates until you restart it.

Choices:
1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.
2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
3. Abort patch.
    After you choose an option, the patch installation continues. When it is complete, press the Enter key to exit the patch screen.
  9. If you selected the second option in step 8, you must perform the following steps:
    • In the QRadar admin settings, click Advanced > Deploy Full Configuration.
    • In the QRadar admin settings, click Advanced > Restart Event Collection Services.
  10. To unmount the SFS file from the Console, type the following command: umount /media/updates
  11. Optional: Verify that WinCollect agents are configured to accept remote updates:
    1. Log in to QRadar.
    2. On the navigation menu, click Data Sources.
    3. Click the WinCollect icon.
    4. Review the Automatic Updates Enabled column and select WinCollect agents that have a False value.
    5. Click Enable/Disable Automatic Updates.

Results

Managed WinCollect agents with automatic updates enabled are updated and restarted. The amount of time it takes a managed agent to update depends on the configuration polling interval for the agent and the speed of the network connections between the Console and the agent.