Installing the WinCollect agent on a Windows host

Install the WinCollect agent on each Windows host that you want to use for local or remote collection in your network environment.

Before you begin

Ensure that the following conditions are met:

You created an authentication token for the managed WinCollect agent.
Note: An authentication token is not required for stand-alone WinCollect deployments such as those used in IBM® QRadar® on Cloud, but every managed WinCollect agent must use an authentication token.

For more information, see Creating an authentication token for WinCollect agents.
Your system meets the hardware and software requirements.
For more information, see Hardware and software requirements for the WinCollect host.
The required ports are available for WinCollect agents to communicate with QRadar and remotely polled Windows computers.
For more information, see Communication between WinCollect agents and QRadar.
To automatically create a log source for a managed WinCollect agent, you must first create a destination that your agent can use to connect to QRadar and create your log source. For more information, see Adding a destination.

The managed WinCollect agent sends the Windows event logs to the configured destination. The destination can be the QRadar Console, an Event Processor, or an Event Collector.

Procedure

Download the WinCollect Agent .exe file from the IBM Support website (http://www.ibm.com/support).
Right-click the WinCollect Agent .exe file and select Run as administrator.

Follow the prompts in the installation wizard and use the following parameters for either managed or stand-alone agent setup.

Table 1. WinCollect Managed agent setup type installation wizard parameters
Parameter	Description
Host Identifier	Use a unique identifier for each WinCollect agent that you install. The name that you type in this field is displayed in the WinCollect agent list of the QRadar Console. If you are reinstalling an agent on a Windows host and you want to use the same Host Identifier for the agent, you must first rename the existing agent in QRadar. Host identifiers are unique to each installation of the agent on the same Windows host. By default, the Host Identifier is the hostname of the Windows host.
Authentication Token	The authentication token that you created in QRadar, for example, `af111ff6-4f30-11eb-11fb-1fc117711111`.
Configuration Server (host and port)	The IP address or host name of your QRadar Console, Event Collector, or Event processor. For example, `192.0.2.0` or `myhost`.
Create Log Source	If this check box is selected, you must provide information about the log source and the target destination.
Log Source Name	The name can be a maximum of 255 characters.
Log Source Identifier	Identifies the device that the WinCollect agent polls. This field must use the hostname, IP address, or FQDN of the Windows host that the log source gathers events from.
Target Destination	The WinCollect destination must be configured in QRadar before you continue entering information in the installation wizard. This field must contain the name of a previously created WinCollect Destination as it appears in the Destinations window.
Event Logs	The Windows logs that you want the log source to collect events from and send to QRadar.
Machine poll interval (msec)	The polling interval that determines the number of milliseconds between queries to the Windows host. The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.
Event Rate Tuning Profile	Select the tuning profile: Default (Endpoint): 100/150 This setting is suitable for Windows endpoints that are running a non-Server OS. Typical Server: 500/750 This setting is suitable for most Windows Server endpoints. High Event Rate Server: 1250/1875 This setting is suitable for all Windows endpoints and is ideal for Domain Controllers and other potentially high EPS endpoints. For more information, see IBM Support (http://www-01.ibm.com/support/docview.wss?uid=swg21672193).
Default Status Server Address	An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any QRadar Console or any Event Processor or Event Collector in your deployment. Set the value to `Disabled` to send only a heartbeat without status messages. Set the value to `None` if you don't want to send a heartbeat or status messages.
Syslog Status Server (if different from default)	An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any QRadar Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages.

Table 2. WinCollect stand-alone setup type installation wizard parameters
Parameter	Description
Create Log Source	If this check box is selected, you must provide information about the log source and the target destination.
Log Source Name	The name can be a maximum length of 255 characters.
Log Source Identifier	Identifies the device that the WinCollect agent polls. This field must use the hostname, IP address, or FQDN of the Windows host that the log source gathers events from.
Event Logs	The Windows logs that you want the log source to collect events from and send to QRadar.
Destination Name	Identifies where WinCollect events are sent.
Hostname / IP	The host name or IP address for the destination.
Port	The port that WinCollect uses when it communicates with the destination.
Protocol	TCP or UDP
Machine poll interval (msec)	The polling interval that determines the number of milliseconds between queries to the Windows host. The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.
Event Rate Tuning Profile	Select the tuning profile: Default (Endpoint): 100/150 This setting is suitable for Windows endpoints that are running a non-Server OS. Typical Server: 500/750 This setting is suitable for most Windows Server endpoints. High Event Rate Server: 1250/1875 This setting is suitable for all Windows endpoints and is ideal for Domain Controllers and other potentially high EPS endpoints. For more information, see IBM Support (http://www-01.ibm.com/support/docview.wss?uid=swg21672193).
Default Status Server Address	The IP address Destination where status messages from the WinCollect agent are sent.
Syslog Status Server (if different from default)	An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any QRadar Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages. For QRadar on Cloud deployments, use the Data gateway.
Heartbeat Interval (msecs)	The frequency that heartbeat status messages are sent. In WinCollect 7.2.8, it is displayed in milliseconds. In WinCollect 7.2.9 and later, it is displayed in minutes.
Log Monitor Socket Type	Protocol to be used to send heartbeat and status messages. Note: This option is only available in stand-alone WinCollect deployments. Availability for managed agents is planned in a later release of QRadar.

The Command Line (will be saved in config\cmdLine.txt) field displays a command line from the configuration that you completed. You can use this command for silent, or unattended installations. For more information, see Installing a WinCollect agent from the command prompt.