IBM Support

QRadar: WinCollect service requires restarting after replacing QRadar certificates

Troubleshooting


Problem

After the replacement of the QRadar certificate with a newly created self-signed certificate, errors are displayed in the IBM WinCollect 10 Agent logs and no events are sent to the QRadar Console.

Diagnosing The Problem

This issue can be seen in the following circumstances:
  • Initial setup of IBM WinCollect 10 Agent.
  • Replacing an existing certificate, when the certificate is about to expire.
Steps to Reproduce:
  1. Install IBM WinCollect 10 agent.
  2. Create a TLS destination on the QRadar Console with the generated certificate type
  3. Add a TLS destination to the IBM WinCollect 10 agent with the generated PEM file configured into QRadar.
  4. Generate a new self-signed certificate by completing the following instructions.
    https://www.ibm.com/support/pages/qradar-tls-syslog-support-der-encoded-pkcs8-custom-certificates
  5. IBM WinCollect 10 agent connects and Logs are seen in the QRadar Console.
  6. Replace the destination's certificate with a new self-signed certificate. Errors are displayed in the IBM WinCollect 10 Agent logs and no events are sent to the QRadar Console.

Resolving The Problem

Note: Customers running IBM WinCollect Agents 10.0.1 and 10.0.2 are advised to complete a manual restart of the IBM WinCollect service after the replacement of the certificate.
Restarting the IBM WinCollect 10 Agent service clears the old certificate from the cache and loads the newly created certificate, and establishes a secure connection between the IBM WinCollect 10 Agent and the QRadar Console.
There are 3 locations where the IBM WinCollect Agents service can be restarted:
IBM WinCollect Agent GUI
Windows Operating System GUI
Powershell Command Line

To restart the IBM WinCollect service (IBM WinCollect Agent GUI)

  1. Click the Microsoft Start Button, select IBM WinCollect 10, then click IBM WinCollect 10 Console.
    startmenu
  2. From the console screen, you can see the status of the IBM WinCollect 10 service.
    serviceisrunning
  3. Click 'Service is running' and then click Restart.
    consolerestart

To restart the IBM WinCollect service (Windows Operating System GUI)

  1. On the Server Manager window click Tools, and select Services.
    ToolsMenu
  2. Scroll down and highlight the IBM WinCollect service, then click the Restart Service Button.
    RestartService

To restart the IBM WinCollect Agents service (Powershell Command Line)

  1. Right-click the Windows Start Button and Select the option 'Windows Powershell (Admin)'.
    Powershell
     
  2. To Stop the IBM WinCollect service run the command 
    net stop wincollect
    Note: Example of successful output.
    netstop
  3. To Start the IBM WinCollect service run the following command. 
    net start wincollect
    Note: Example of successful output.
    netstart
After the restart of the IBM WinCollect 10 Agents service, the issue will be resolved, and the system logs are seen in the QRadar Console.
Resolution
This issue is resolved in WinCollect version 10.1.1.
Listed in the Bug fixes and improvements section.
Fixed an issue where the agent caches PEM files that are removed from the config until the service is restarted.
Customers experiencing this issue should upgrade WinCollect to version 10.1.1 or Later.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 August 2023

UID

ibm16618391

Page Feedback