IBM Support

QRadar: Changing the default WinCollect Agent name results in a log source not being assigned

Troubleshooting


Problem

Administrators who change default WinCollect agent name can break the log source to agent association. The default agent name format 'WinCollect @ hostname' should not be altered.

Environment

WinCollect Agent 7.2.1 though 7.2.x

Diagnosing The Problem

If the WinCollect Agent name has been changed, the association between the agent and the log sources the agent manages might be broken. If a log source was assigned to the agent, you can verify the the log source can still be viewed by using the following procedure:


    Procedure
    1. Log in to the QRadar Console as an administrator.
    2. Click the Admin tab.
    3. Click the WinCollect icon.
    4. Select the WinCollect agent that has the updated name.
    5. From the navigation bar, click on the Log Sources button.
    6. If no log source is displayed, this can indicate a log source is not assigned to the agent.
    7. Review the WinCollect Agent field in the log source configuration to verify the proper agent is assigned.
    8. If you cannot select the correct agent or the renamed agent is not listed, this can indicate a naming issue.

Resolving The Problem

To resolve this issue there are two possible solutions:

Option 1: Remove white space from the WinCollect Agent name
In some circumstances, the name provided to the WinCollect Agent might be edited. If the updated name contains extra spaces or unsupported characters, then this can break the association between the log source and the agent.

An example of an unsupported agent name might be NetworkA @ WinCollect @ Computername. The default name for WinCollect Agents should be WinCollect @ identifier. If an administrator manually changes the name, it can cause issues in WinCollect.

    Procedure
    1. Go To the UI > Admin tab > click on the WinCollect tab icon
    2. Click on a WinCollect Agent that you cannot add a log source.
    3. Remove the white space from the Name field after the @ symbol.
    4. Click Save.


Option 2: Force the system to create a new WinCollect Agent
If you are having an agent issue or you have renamed an agent and it causes issues, the administrator might consider forcing QRadar to think an existing install is a new agent.

      Procedure
      This is intended to force a single WinCollect agent to auto discover without the need to reinstall on the Windows host.
      1. Log in to the Windows host as a local administrator.
      2. To open the Run menu, press the Windows logo key + R.
      3. Type the following: services.msc
      4. Click OK.
      5. Locate the WinCollect service and click Stop.
      6. Navigate to the WinCollect configuration directory: C:\Program Files\IBM\WinCollect\config\
      7. Edit install_config.txt.
      8. Change the ApplicationIdentifier= field to a new value.

        Example of the values in the install_config.txt file.

        ApplicationIdentifier=J1111143    <---- This is the value to be changed to force the agent to rediscover.
        ConfigurationServer=<QRadar appliance IP or hostname>
        ConfigurationServerPort=8413
        StatusServer=<QRadar appliance IP or hostname>
        ApplicationToken=<String with hashed token>
        BuildNumber=1018564

        The application identifier can be anything. On my local WinCollect install, it is my PC name as it was automatically populated by the CLI install. The name you provide must be a new name to identify and not a name that has been used during a previous install.

      9. Locate the WinCollect service and click Start.
      10. After the WinCollect agent starts, the Configuration Console on the QRadar appliance will think a new agent is trying to auto discover and update the agent list.
      11. Edit the log source configuration for any log sources that are associated with the old agent.
      12. In the WinCollect Agent list, select the agent that matches the new ApplicationIdentifier entered in step 7.
      13. Click Save.
      14. Repeat Steps 11 - 13 for any other log sources you need to remap to the correct WinCollect agent.

        Note: It might take up to 10 minutes for the WinCollect agent to send the latest log source configuration to the remote Windows host. .

        Results
        To verify the log source and WinCollect agent association, the Administrator can select a WinCollect agent from the agent list, then click the Log Sources icon. A log source should now be associated with the agent.

        If the WinCollect agent still does not auto discover on the Console when the ApplicationIdentifier has been changed, then a larger installation is occurring and you should consult QRadar Support for assistance.

    -----

    Where do you find more information?


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21962330

Page Feedback