IBM Support

QRadar: Troubleshooting steps for WinCollect 7.3.x in "Unavailable" status

Troubleshooting


Problem

Managed WinCollect Agents report an "unavailable" status on the QRadar® console, despite the heartbeat events and Windows® events are being collected. This article relates to WinCollect 7.3.x versions only.

Cause

There can be several reasons why this issue can occur:
  • A network-related issue between the Console or Eventcollector, and WinCollect Agent.
  • A firewall that might be blocking connections.
  • A configuration mismatch on the WinCollect agent, for example in the install_config.txt file.
  • An issue with time synchronization between the QRadar Console and the Eventcollector.

Diagnosing The Problem

We can verify the following to check whether any environment is seeing the same issue:
  • Confirm that the events are received on the QRadar host, which is ingesting the events. You can use tcpdump to investigate:
    If the events are not encrypted: 
    tcpdump -nnvvAs0 -i any -l port 514 and src <sourceIP> | egrep "LEEF|PluginVersion"
  • Confirm that the log source for WinCollect heartbeats is receiving events (usually named WinCollect @ <hostname>). Heartbeats are by default set to use UDP protocol - as opposed to other events, which are set to use TCP by default. Check with your network admin whether the traffic over the specific protocol is permitted or not.
    • To test connectivity from the Windows host, you can use a PowerShell command:  
      Test-NetConnection -ComputerName <configurationServerIP> -Port 8413 -InformationLevel "Detailed"
      Note, this command only works for TCP protocol. For testing UDP connectivity, you can use 3rd party tools such as Microsoft's® PortQry.
  • Confirm that all the log sources associated with the affected agent are receiving events.
  • Confirm that the log source has an updated "Last Event" timestamp in the Log Source Management app.
  • For a managed WinCollect, ensure that the agent is on the latest version. You can check the version of the agent in QRadar: Admin> WinCollect> Agents> double-click the affected agent> check WinCollect Version. If you are unsure which version is installed on QRadar, you can run this command on the CLI to check: 
    yum list all | grep -i AGENT-WINCOLLECT
If all of the before mentioned prerequisites are met, and the issue persists, you can:
  • Enable debug logging for more granular output on both the agent and on the QRadar host, which is set as configurationServer. If you are not sure which host is the configuration server, check in the config/install_config.txt file on the WinCollect host.
  • If the debug output is not clear, or doesn't reveal anything obvious, you can open a Support case with IBM.

Resolving The Problem

  1. Verify the version of WinCollect and ensure that the latest one is installed. To download the latest version, you can go to IBM Fix Central or the WinCollect 101 portal.
  2. Check on the WinCollect side for misconfigurations in the install_config.txt file, and ensure the StatusServer has the correct IP address, host name, or FQDN.
  3. Verify on the QRadar side, from the WinCollect tab for the affected agent, that the heartbeat and Agent Version are correct.
  4. Check connectivity from the WinCollect agent to the EC (configurationServer) or Console on ports 514 and 8413. The configurationServer needs to be able to connect to the QRadar console also on port 443 for RestAPI queries. For reference, see: Communication between WinCollect agents and QRadar.
  5. Is there a time difference between the EC and Console's time, check by using an example command like (run on the console CLI):  
    date; ssh 10.10.10.10 date
    Where the IP address is the IP of your event collector. If there is a constant time unsync, consider implementing NTP for QRadar.
  6. We can also try to regenerate the PEM file on the WinCollect Agent that uses a custom certificate. See: WinCollect: Replacing the default certificate in QRadar Generates invalid PEM errors
  7. If you still are stuck, open a Support case with IBM.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 June 2022

UID

ibm16567495

Page Feedback