IBM Support

Troubleshooting duplicate destinations in managed WinCollect

Troubleshooting


Problem

There can be duplicate entries in the ale_destinations table in QRadar and in the AgentConfig.xml of the WinCollect agent in managed WinCollect deployments. This behavior causes the agent to not send events.

Cause

This issue can be caused by deleting and readding hosts in QRadar.

Diagnosing The Problem

  1. Log in to Console as the root user.
  2. Review the output ale_destinations table for duplicate entries by using the following command: 
    psql -U qradar "select * from ale_destination;"
    In the example, observe the two pairs of duplicates of eventcollector404. Two are UDP and two are TCP. 
    89      eventcollector404 :: EC404 :: UDP  89      89      192.168.404.xx   514     UDP     \N      t       f       t       30000   4000
90      eventcollector404 :: EC404 :: TCP  90      90      192.168.404.xx   514     TCP     \N      t       f       t       30000   4000
235     eventcollector404 :: EC404 :: UDP  235     235     192.168.404.xx   514     UDP             t       f       t       30000   4000
135     eventcollector404 :: EC404 :: TCP  135     135     192.168.404.xx   514     TCP             t       f       t       30000   4000

Resolving The Problem

Users can create a destination with a new name and point the agents to that new destination. The initial name used cannot be used again. For more information, see IJ32028: WINCOLLECT LOG SOURCE MANAGEMENT DISPLAYS MULTIPLE INCORRECT ENTRIES WHEN A MANAGED HOST IS REMOVED AND ADDED BACK.
 

WinCollect 10

Before you start, create a new destination

  1. From the menu, select Destinations.
    menu
  2. Select Add.
    create
  3. Create and Save the new destination.
    save
Edit the WinCollect log source to use the new Target Destination in WinCollect 10
  1. From the menu, select Local Sources or Remote Sources based on which source you are using
    menu
  2. Click the source's Name to edit it.
    log source
  3. Select the old target's checkbox and click Delete to remove the old destination
    Delete
  4. Click to Add a new target.
    Add
  5. Select the new Destination and Save.Save
  6. Open the notifications window.
    notification
  7. Click Apply Changes.
    apply
Result
The agent sends events to the new destination.

WinCollect 7

Before you start, create a new destination

  1. In the Admin menu, open the WinCollect Configuration Console.
    win
  2. Go to the Destinations tab and select Add.
    create
  3. Enter your destination details and select Save.
    save

Edit the WinCollect log source to use the new Target Destination in WinCollect 7

  1. In the Admin menu, open the WinCollect Configuration Console.
    Admin
  2. Click Agents and select the agent you want to edit.
    win
  3. Click Log Sources and navigate to the Log Sources setting.
    log source
  4. Select the log source you want to edit, and click Edit.
    edit
  5. Select the Target External Destinations check box.
  6. Select the Target External Destination you want to target.
  7. Click Save.
Result
The agent sends events to the new destination.
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 April 2022

UID

ibm16561919

Page Feedback