IBM Support

WinCollect: "Unable to push <number> events to C:\ProgramData\WinCollect\Data\Events\eventcollector-- DiskManager can't allocate <number> bytes" error

Troubleshooting


Problem

The error message is displayed when WinCollect is unable to communicate with the target event collector, and the WinCollect cache is full.

Symptom

  • Event loss due to WinCollect agent being unable to send events to the target event collector.
  • The following error codes can be seen in the WinCollect log:  
    Unable to push <number> events to C:\ProgramData\WinCollect\Data\Events\eventcollector-- DiskManager can't allocate <number> bytes
Event cache rejected new message block. Messages lost <number>.

Cause

  • Communication issue between the WinCollect and the target event collector.
    1. Port 514 for TCP is not open on the QRadar event collector.
    2. The firewall is not configured to accept connections.
  • Network issues, such as network outages or network change.
  • The event rate is not configured as required in the Log Source configuration.

Resolving The Problem

Before you begin, verify port 514 connectivity. Run the PowerShell command on the Windows® host where WinCollect is configured:
Test-NetConnection -ComputerName <IP_OF_TargetEventCollector> -Port 514 -InformationLevel "Detailed"
If TCPTestSucceeded=False
  1. Check the topology between the Windows host and the QRadar event collector for any missing firewall rules or routing between the hosts.
  2. Double check that port 514 is open and listening on the QRadar event collector: 
    ss -tulpan | grep -w 514
    If the port is not open, try restarting service ecs-ec-ingress on the event collecting host. If the port still doesn't open, raise a case with IBM QRadar Support.
If  TCPTestSucceeded=True
  1. Modify the Event Rate Tuning Profile in the Log Source configuration. If the Windows servers are Domain controllers or DNS servers with a high rate of events, select High Event Rate and Save the configuration.
    For more information, see Related Information regarding tuning.
  2. Disable and Enable the Log Source.
  3. Clear WinCollect cache.
    1. Stop WinCollect service.
    2. Take a backup of C:\ProgramData\WinCollect\Data\.
    3. Remove C:\ProgramData\WinCollect\Data\.
    4. Start the WinCollect service.
Result:
Check in Log Activity for events ingested through this WinCollect agent, and in the WinCollect log to see whether the error message stopped displaying.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS011027919","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 March 2023

UID

ibm16958372

Page Feedback