How To
Summary
WinCollectHealthCheck.sh runs through a series of tests and automated checks to help validate managed WinCollect deployments. The support tool WinCollectHealthCheck allows administrators to report the state of managed WinCollect agents deployed in your network.
Environment
The WinCollectHealthCheck utility reports data from the QRadar Console for managed WinCollect agents. Administrators with stand-alone agents cannot use the WinCollectHealthCheck tool as those agents are not managed or monitored by the QRadar Console.
Steps
Validate your WinCollect deployment.
- Use SSH to log in to your QRadar Console as the root user.
- Run WinCollectHealthCheck.sh.
/opt/qradar/support/WinCollectHealthCheck.sh
- Example output
The following is example with one running agent and one unavailable agent:
Last Heartbeat Test : Passed : There are 1 WinCollect Agents that have a heartbeat within the last 30 minutes Failed : There are 1 WinCollect Agents whose last heartbeats are beyond 30 minutes Passed : There are 0 WinCollect Agents that have no heartbeat Passed : There are 0 WinCollect Agents that have not been deployed ____________________________________ HeartBeat Test Failed Version Test : Passed : There are 0 WinCollect Agents that are version 7.2.5 Passed : There are 0 WinCollect Agents that are version 7.2.6 Passed : There are 0 WinCollect Agents that are version 7.2.7 Passed : There are 0 WinCollect Agents that are version 7.2.8 Passed : There are 0 WinCollect Agents that are version 7.2.8 patch 1 Passed : There are 0 WinCollect Agents that are version 7.2.8 patch 2 Passed : There are 0 WinCollect Agents that are version 7.2.9 Passed : There are 0 WinCollect Agents that are version 7.2.9 patch 1 Passed : There are 0 WinCollect Agents that are version 7.2.9 patch 2 Passed : There are 0 WinCollect Agents that are version 7.2.9 patch 3 Passed : There are 0 WinCollect Agents that are version 7.3.0 Passed : There are 0 WinCollect Agents that are version 7.3.0 patch 1 Failed : There are 0 WinCollect Agents that are version 7.3.1 ____________________________________ Version Test Failed LogSource Test : Failed : There are 0 Log Sources whose last event times are less than 720 minutes Passed : There are 0 Log Sources whose last event times are beyond 720 minutes ____________________________________ Log Source Test Failed Status Test : Passed : There are 0 WinCollect Agents that are not communicating. Passed : There are 1 WinCollect agents running. Passed : There are 0 WinCollect Agents in "Stopped" status. Failed : There are 1 WinCollect Agents that are Unavailable. Passed : There are 0 Dirty WinCollect Agents. ____________________________________ Status Test Failed RPM Test : Passed : WinCollect 7.2.5 RPM files were not found Passed : WinCollect 7.2.6 RPM files were not found Passed : WinCollect 7.2.7 RPM files were not found Passed : WinCollect 7.2.8 RPM files were not found Passed : WinCollect 7.2.8 Patch 1 RPM files were not found Passed : WinCollect 7.2.8 Patch 2 RPM files were not found Passed : WinCollect 7.2.9 RPM files were not found Passed : WinCollect 7.2.9 Patch 1 RPM files were not found Passed : WinCollect 7.2.9 Patch 2 RPM files were not found Passed : WinCollect 7.2.9 Patch 3 RPM files were not found Passed : WinCollect 7.3.0 RPM files were not found Failed : WinCollect 7.3.0 patch 1 RPM files were not found Failed : WinCollect 7.3.1 RPM files were not found ____________________________________ RPM Test Failed ==================================== Overall Results : At Least 1 Test Failed Would you like further information on the components that failed the tests? Please answer yes or no :
- Example output
- Type yes for more information on components that failed the tests. Otherwise, type no.
- Example output
Old Last_Heartbeats: There are heartbeats that have not come in for over 30 minutes, following are query results identifying these agents Agent ID | Agent Name | Hostname | last_heartbeat ----------+------------------------------------+-----------------------+------------------------- 2 | WinCollect @ WINDOWS10-host2 | WINDOWS10-host2 | 2022-07-28 12:07:26.392 (1 row) WinCollect Inactive Agents: Description: Querying the inactive agents, these agents will have a value of true for deleted, or a value of false for enabled or deployed hostname | version | last_heartbeat | deployed | enabled | deleted ----------+----------------------+----------------+----------+---------+--------- ? | N/A | | f | f | t Status 4 Failure: There are agents that are Unavailable. id | Agent Name | hostname | last_heartbeat | status ----+------------------------------------+-----------------------+-------------------------+-------- 2 | WinCollect @ WINDOWS10-host2 | WINDOWS10-host2 | 2022-07-28 12:07:26.392 | 4 (1 row) RPM Files are not Up to date: This test failed because the required rpm files were not found or files of an older version were found. These are your WinCollect Files PROTOCOL-WinCollectJuniperSBR-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftSQL-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftIAS-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftISA-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftExchange-7.5-20210928014626.noarch PROTOCOL-WinCollectWindowsEventLog-7.5-20210928014626.noarch PROTOCOL-WinCollectFileForwarder-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftDHCP-7.5-20210928014626.noarch DSM-WinCollect-7.4-20210817165702.noarch PROTOCOL-WinCollectMicrosoftDNS-7.5-20210928014626.noarch PROTOCOL-WinCollectNetAppDataONTAP-7.5-20210928014626.noarch PROTOCOL-WinCollectConfigServer-7.5-20210928014626.noarch PROTOCOL-WinCollectMicrosoftIIS-7.5-20210928014626.noarch
Result
Understanding the output:Check Description Notes Last Heartbeat Test Informs administrators when there is no heartbeat from an agent, the heartbeats are older than 30 mins, or agents are not deployed For agents that do not report heartbeat, review the install_config.txt files on the WinCollect agent. Confirm the IP address or hostname in the ServerStatus field. By default, the install_config.txt file is located in C:\Program Files\IBM\WinCollect\config. Version Test Identifies the WinCollect agent version for all managed agents. Administrators can use this test to output a list of all agent versions reporting to QRadar to identify remote hosts that need to be updated to a supported version (N, N-1). You can configure managed agents to update automatically from the Admin > WinCollect settings in your QRadar Console. Updates are enabled by default but can be disabled. Log Source Test Identifies the number of log sources that reported event data in the last 720 minutes. All Syslog sources have a default setting in QRadar to check whether an event source reported data. Log sources that do not report events might not have events to report. A good practice is to review those agents to ensure network changes or outages are not blocking events and confirm whether the agent service is running. Status Test Passes when all agents are running. Possible agent statuses include running, stopped, and unavailable. Dirty agents are hosts with pending changes, such as a log source update, software update, or configuration change. QRadar tracks pending changes for each agent and updates remote hosts when they call in. Update frequency checks are based on the agent's configuration polling interval, which is set to 10 minutes by default. If you experience issues with managing WinCollect agents contact support. RPM Test Passes when the most recent RPM patches are found, and older ones are absent. Administrators with missing RPMs need to mount and install the latest WinCollect SFS file from IBM Fix Central. To download the latest managed WinCollect SFS file, see https://ibm.biz/getwincollect7. - Example output
Running a tuning test
You can run a tuning test to see whether the WinCollect deployment is within supported tuning parameters.
- Use SSH to log in to your QRadar Console as the root user.
- Run the tuning test with the -t option.
/opt/qradar/support/WinCollectHealthCheck.sh -t
Result
The tuning test runs only on working agents. The test checks for the following:- That managed hosts have fewer than 500 agents each
- That each agent does not have more than 500 log sources
- That polling channels, divided by their respective polling interval, are less than 30
- That there are no more than 30 XPath queries and 2 per agent
Example of successful output:Learn about tuning profiles by reading WinCollect: Let's Talk About Log Source Event Rates & Tuning Profiles.Tuning Test : Passed : The managed host with the most agents is at X.X.X.X with 1 agents. Passed : The agent(s) with the most logsources has Passed : Generating a maximum of of the 30 supported WinCollect channels per second on a single agent. Passed : Generating a maximum of 0 of the 10 supported XPath channels per second on a single agent. Passed : Generating a maximum of 0 of the 30 supported channels per second on a single agent. ____________________________________ Tuning Test Passed
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 October 2022
UID
ibm16830295