What's new in WinCollect 10
WinCollect 10 is a major new release for IBM® QRadar®. This release is available now for stand-alone deployments.
Significant performance improvements
- Across many different use cases (high and low eps, high eps remote polling), approximately 70-100% improvement in CPU usage and 53-67% improvement in memory usage.
- Increased EPS limitation from 5,000 to 10,000 for local collection.
Installation improvements
- Quick Installation
- Using only the IP/Hostname of the QRadar host, you can have an Agent up and running in seconds, collecting standard Application, System, and Security events.
- Installation with script
-
- No longer requires a paragraph cmd line to install an agent. The installer can now reference an installation script.
- The installer uses the configuration in the script to add the sources you want as part of the installation. You are no longer limited to configuring the Windows event log collection as part of the installation.
- You can configure any devices that are supported by WinCollect during the installation.
- Lightweight installation
- ~4 MB installation versus 40 MB (installer + patch installer, if needed).
Automatic tuning
- You no longer need to configure the polling interval or guess which tuning profile to use. The WinCollect agent now tunes itself by Source to poll more often when required and less often when the EPS is low.
- Configure which sources you want to use, and let the agent handle the collection of events.
Web-based agent management
Web-based agent management is an optional component for all Agent installations and no longer
requires a separate installation as it did with WinCollect 7. Agent management is no
longer dependent on .NET3.5.
Tip: The agent management UI works on Internet Explorer,
Firefox, or Chrome.
In addition to agent management, the UI contains the following features:
- Main Dashboard
- Top Sources - list of the top 10 sources by EPS
- Errors - lists recent Agent errors, such as connections to QRadar or to a remote source.
- Historical EPS by source graphNote: This graph is not available using Internet Explorer.
- Add source wizard.
- Wizard to add local or remote sources one at a time or in bulk.
The UI also contains the following support tools:
- Log Viewer
- Displays the WinCollect log in real time, so you can filter the log as needed.
- Restart WinCollect service - The
following options are available during restart to help troubleshoot an issue:
- Delete Logs
- Delete Patch/Staging folder
- Delete Cached Events
- Delete Bookmarks
- Start in Debug Mode
- Collect Support files.
- Click one button to gather all the required log files to provide to L2/L3 IBM support.
Use of sources
WinCollect 10 changes the collection
paradigm from the typical QRadar log source collection to source collection. For example, in QRadar, you specify to collect
Windows event logs and select which channels you want to collect. In WinCollect 10, each channel you want to
collect from is now referred to as a "source," which provides the agent more flexibility. For
example, channels no longer need to be polled at the same time; you can now set polling intervals
for each source. Sources also provide the ability to more easily apply updates by using update
scripts.
Note: The other plug-ins (such as Microsoft SQL Server) are also referred to as
sources.
Agent Configuration with update scripts
- WinCollect 10 takes templates to the next level. In WinCollect 7, you could update agents by using templates to make wholesale changes to the configuration. Simple tweaks to an existing configuration were not possible. In WinCollect 10, you can make minor changes to the configuration, and add or subtract sources.
- If you want to change the IP destination, you can create a simple update script that you can push out to all your agents.
- The agent configuration is now much simpler and easier to read. Prior agent configurations that were 200+ lines are now reduced to 10 - 20 lines.