News
Abstract
QRadar® SIEM development identified a defect where managed WinCollect agents at 7.x experience issues adding new agents or making configuration changes after an upgrade to QRadar 7.5.0 Update Package 4 (7.5.0.20221129155237) or later. This issue affects managed WinCollect 7 agents where the deployment is updated to QRadar SIEM 7.5.0 Update Package 4 (7.5.0.20221129155237) and later.
Content
Technical note updates
- 14 March 2023: 10 AM ET: Updated this content to add "7.5.0 Update Pack 4 (7.5.0.20221129155237) and later" as WinCollect 7.3.1-28 is required for users who upgrade to QRadar 7.5.0 Update Package 5 (7.5.0.20230301133107), which was released on 13 March 2023.
- 17 February 2023: 10 AM ET: An update is available to administrators to resolve the communication issue. A new version of WinCollect 7.3.1-28 is released, but this version is only intended for QRadar Consoles on 7.5.0 Update Pack 4 (7.5.0.20221129155237) and later.
- 14 February 2023: 4:00 PM ET: Update to confirm WinCollect and QRadar version compatibility.
- 9 February 2023 4:00 PM ET: Initial release of the flash notice to users.
Resolution
A resolution is available on IBM Fix Central for APAR IJ45284. Administrators with managed WinCollect 7.x agents on QRadar 7.5.0 Update Pack 4 can download and install WinCollect 7.3.1-28. WinCollect 7.3.1-28 is a specific build to resolve the managed WinCollect communication issue for 7.5.0 Update Pack 4 and later. For more information, see Table 1.
Table 1: QRadar versions and required WinCollect SFS compatibility.
After you upgrade to WinCollect 7.3.1-28, communication issues are resolved and administrators can add or manage agents. For more information on how to install WinCollect 7.3.1-28, see Release of WinCollect Agent V7.3.1-28 (Patch 2).
Note: As WinCollect 7.3.1-28 is a special build for QRadar 7.5.0 UP4 and later, an installation check was added to ensure that users do not accidentally install WinCollect 7.3.1-28 on an incorrect Console version. The following installation error is displayed if you attempt to install WinCollect 7.3.1-28 on an incompatible QRadar Console version:
Table 1: QRadar versions and required WinCollect SFS compatibility.
| QRadar version | WinCollect version | Notes |
| 7.5.0 Update Pack 4 or later | 7.3.1-28 (https://ibm.biz/wincollect_ij45284) | QRadar 7.5.0 UP4 or later is affected by IJ45284. Administrators must install to WinCollect 7.3.1-28 on the Console to resolve the communications issue to add or managed remote agents. WinCollect 7.3.1-28 is only compatible with QRadar 7.5.0 Update Pack 4 and later. |
| 7.5.0 Update Pack 3 or earlier | 7.3.1-22 | QRadar 7.5.0 UP3 and earlier versions are not affected by IJ45284. Managed WinCollect versions 7.3.1-22 and earlier are compatible only with QRadar 7.5.0 update package 3 and earlier. If you plan to upgrade to QRadar 7.5.0 UP4 or later in the future, you must install WinCollect 7.3.1-28 after you update your Console appliance. |
| QRadar 7.4.x | 7.3.1-22 | QRadar 7.4.x and earlier versions are not affected by IJ45284. Managed WinCollect versions 7.3.1-22 and earlier are compatible only with QRadar 7.4.x versions. If you plan to upgrade to QRadar 7.5.0 UP4 or later in the future, you must install WinCollect 7.3.1-28 after you update your Console appliance. |
After you upgrade to WinCollect 7.3.1-28, communication issues are resolved and administrators can add or manage agents. For more information on how to install WinCollect 7.3.1-28, see Release of WinCollect Agent V7.3.1-28 (Patch 2).
Note: As WinCollect 7.3.1-28 is a special build for QRadar 7.5.0 UP4 and later, an installation check was added to ensure that users do not accidentally install WinCollect 7.3.1-28 on an incorrect Console version. The following installation error is displayed if you attempt to install WinCollect 7.3.1-28 on an incompatible QRadar Console version:
[INFO] Preparing patch...
[ERROR] --------------------------------------------------------------------------------
[ERROR] Your system must be at level 2021.6.4
[ERROR] or higher to apply this patch.
[ERROR] You must apply the relevant patch first, and then attempt
[ERROR] to run this patch again.
[ERROR] If you continue to have trouble, contact Customer Support for assistance.
[ERROR] --------------------------------------------------------------------------------
Note: The version displays 2021.6.4 is the internal build number for QRdaar 7.5.0 Update Pack 4. This error message indicates your Console is not compatible with the WinCollect 7.3.1-28 SFS.Important: Several users reported an issue where WinCollect agents cannot be added or managed due to session. Administrators with QRadar 7.5.0 Update Package 4 with managed WinCollect 7.x agents need to confirm your software versions before you upgrade your QRadar deployment to avoid WinCollect issues described in APAR IJ45284. If you use managed WinCollect 7.x agents, administrators need to delay upgrades to 7.5.0 Update Package 4 (7.5.0.20221129155237) or upgrade to WinCollect 7.3.1-28.
The following issues occur can when you experience IJ45284:
- New agents cannot be added to QRadar.
- Configuration changes cannot be made on agents.
Note: This issue does not impact services or forwarding as WinCollect agents display a status as Running in the user interface. Existing agents successfully collect and forward events to QRadar, but configuration changes do not complete as expected and new agents cannot be successfully added.
Affected products
QRadar SIEM 7.5.0 Update Pack 4 with managed WinCollect 7.x agents.
Note: QRadar on Cloud appliances are not affected by this issue as QRadar on Cloud supports stand-alone agents.
Error messages
When this issue occurs, the following error is displayed in qradar.log on the Console:
[tomcat.tomcat] [WinCollect@xx.xx.xx.xx (4963) /console/wincollect] com.q1labs.frameworks.session.SessionContext: [WARN] [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]
Destroy was called while session feb33195-ea46-42e0-882d-3a5c32f57247 was in an open transaction
[tomcat.tomcat] [WinCollect@xx.xx.xx.xx (4963) /console/wincollect] java.lang.Exception
[tomcat.tomcat] [WinCollect@xx.xx.xx.xx (4963) /console/wincollect] at com.q1labs.frameworks.session.SessionContext.beginTransaction(SessionContext.java:1010)
[tomcat.tomcat] [WinCollect@xx.xx.xx.xx (4963) /console/wincollect] at com.q1labs.uiframeworks.servlet.ServletBase.service(ServletBase.java:87)
[tomcat.tomcat] [WinCollect@xx.xx.xx.xx (4963) /console/wincollect] at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
On the WinCollect 7.x agents, the following INFO message is seen in the WinCollect.log:
INFO SRV.Code.SSLConfigServerAPIClient.v2.HOSTNAME : Register Instance response type 2 size 89 version 2.2 -
The configServer failed to communicate with the QRadar Console. An unexpected error occurred.
Check the server's log files for details.. ALEResp(500) Check the state of the Tomcat service on the console.
Before you update to 7.5.0 Update Pack 4, you must confirm whether you are affected by this known issue.
Procedure
Procedure
- Log in to the QRadar Console and confirm your software version.
- On the Navigation menu, click About to view your QRadar version.
- Optional. In the command-line interface, use SSH to connect to the Console and type the following command:
/opt/qradar/bin/myver -vReview the Release Name field to determine your Console version. For example,Product is 'QRadar' Appliance is '3199' Core version is '2021.6.4.20221129155237' Latest version is '2021.6.4.20221129155237' Branded version is '' External version is '7.5.0' Branded latest version is '' Release name is '7.5.0 UpdatePackage 4' <---- Version installed with is '2020.7.0.20201113144954'
- On the Navigation menu, click About to view your QRadar version.
- Click the Admin tab.
- Click the WinCollect icon.
- Review the Version column to determine whether any 7.x agents display in the user interface.
Important: The user interface does not indicate any errors. WinCollect agent status displays as Running and agents successfully forward events and status messages. However, administrators are not able to make configuration changes or successfully add new managed WinCollect agents.
Results
If you use WinCollect 7.x managed agents and have QRadar 7.5.0 UP4 installed, QRadar Support is advising administrators to install WinCollect7.3.1.-28. For more information , see Release of WinCollect Agent V7.3.1-28 (Patch 2).
Note: If you are unable to upgrade to WinCollect 7.3.1-28, administrators can set a WinCollect agent to stand-alone mode. Configuring stand-alone mode is not recommended as it is easier to upgrade to WinCollect 7.3.1-28 to resolve the issue described in APAR IJ45284. For more information, see +How to deploy or manage WinCollect 7.x agents.
How to deploy or manage WinCollect 7.x agents
Important: This procedure is no longer required as a new version of WinCollect was released for QRadar 7.5.0 Update Pack 4 and later. If you use managed WinCollect 7.x agents, see the Resolution section in this technical note.
Administrators who need to deploy new agents can temporarily install or manage agents in stand-alone mode. If you need to disconnect a managed WinCollect 7.x agent to make configuration changes, the procedure in this technical note can guide you.
Note: If your organization is planning to deploy several WinCollect 7.x agents or make volume changes, administrators can install or configure agents in stand-alone mode and use a template file to apply required agent updates. For more information, see WinCollect 7.x – Stand-Alone change configuration with Templates.
Procedure
Modifying the install_config file on a WinCollect agent allows administrators to disconnect a managed agent and allows the software to run in stand-alone mode. The Configuration Console user interface on the local host allows administrators to make log source, destination, or agent changes.
- Log in to the Windows host where the WinCollect 7.x agent is installed.
- Log in to the Windows host.
- Stop the WinCollect service.
- Edit the install_config.txt file.
- Clear the value in ConfigurationServer= field. Setting the value blank allows the agent to run in stand-alone mode.
- Use one of the following options to make required changes to your WinCollect 7.x agent:
- Download the WinCollect Configuration Console and install the user interface on your Windows host: WinCollect Agent Patch Installer 7.3.1-22. Make any required changes and click Deploy.
- Use a template file to apply changes to your WinCollect agent. For more information, see WinCollect 7.x – Stand-Alone change configuration with Templates.
- Start the WinCollect service.
Results
After the WinCollect service starts, the new configuration changes are loaded. You can verify the changes in the events on the Log Activity tab on the QRadar Console. If you experience issues with changes to your WinCollect 7.x agent, contact QRadar Support for assistance.
- QRadar Support
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"},{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
14 March 2023
UID
ibm16953887