IBM Support

Release of WinCollect Agent V7.2.8 patch 2

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent V7.2.8 P2. Questions about this update can be discussed in the QRadar forums.

Content

Quick links

 

Known issues identified in WinCollect V7.2.8.P2

There are no known issues specific to WinCollect V7.2.8.P2 at this time.

About WinCollect V7.2.8.P2

This patch release updates the IBM QRadar WinCollect Agent UI to display the build number in the agent. This allows you to easily determine which WinCollect agents are updated. Questions about this version / upgrade can be discussed in our new WinCollect forums here: WinCollect forum.

Features and resolved issues

APAR Description
IJ12128 WinCollect build number is not displayed in the WinCollect Agent Version field.


Supported Windows operating systems

  • Windows Server 2016
  • Windows Server 2008 (most recent)
  • Windows Server 2008 Core
  • Windows Server 2012 (most recent)
  • Windows Server 2012 Core
  • Windows 7 (most recent)
  • Windows 8 (most recent)
  • Windows 10 (most recent)
  • Windows Vista (most recent)

    NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is used beyond the Extended Support End Date, the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.

     

IBM Statement for WinCollect supported versions
Administrators should be aware that supported software versions for IBM WinCollect is the Latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions that QRadar Support will recommend with any support tickets (cases) that are opened. To prevent issues, it is important that administrators keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.


Prerequisites for the WinCollect V7.2.8.P2 upgrade

Installation prerequisites
This table is intended for managed WinCollect agents that receive updates from a QRadar appliance. Stand-alone WinCollect agents can be updated using the 7.2.0-QRADAR-wincollect-standalone-patch-installer-7.2.8-145.exe file to update the agents on Windows host.

 

Console's WinCollect version Upgrades to WinCollect V7.2.8 Special instructions
WinCollect V7.2.2 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-1 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-2 Yes Upgrade to WinCollect V7.2.8.P2. See APAR IV99280.
WinCollect V7.2.3 Yes Upgrade to WinCollect V7.2.8.P2. See APAR IV99280.
WinCollect V7.2.4 Yes Upgrade to WinCollect V7.2.8.P2. See APAR IV99280.
WinCollect V7.2.5 Yes Upgrade to WinCollect V7.2.8.P2.
WinCollect V7.2.6 Yes Upgrade to WinCollect V7.2.8.P2.
WinCollect V7.2.7 Yes Upgrade to WinCollect V7.2.8.P2.
WinCollect V7.2.8 Yes Upgrade to WinCollect V7.2.8.P2

Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.


QRadar version prerequisites
This table is intended to outline WinCollect version requirements for QRadar.

QRadar version Special instructions
QRadar V7.2.8 Patch 7 or above If you are on a WinCollect version between V7.2.2-2 to V7.2.4, see APAR IV99280.
QRadar V7.3.x WinCollect V7.2.5 is the minimum version required to upgrade to QRadar V7.3.x (any patch level).

Table 2: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
 

Before you begin

  • To avoid access errors in your log file, close all open QRadar sessions.
  • Verify that all changes are deployed on your appliances.
  • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
  • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
  • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.

WinCollect upgrade procedure


This section outlines how to install WinCollect V7.2.8.P2 on the QRadar Console. The WinCollect update needs only to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment. To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect V7.2.8.P2.

NOTE: If you are using 'stand-alone' mode, you must download and install the WinCollect Patch Installer V7.2.8.P2 for each Windows host and install the update locally on each agent. For more information about stand-alone mode, see the WinCollect Guide.

Procedure
These instructions are intended for standard (managed) upgrades of WinCollect. The instructions provided below are for managed WinCollect installations.

  1. Download a WinCollect Agent (v7.2.8.P2) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user. This SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.
  3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as /root or /storetmp for QRadar 7.3.0 Consoles.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp
  6. To mount the patch file to the /media/updates directory, type one of the following commands:
    • QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-728.145.P2.sfs /media/updates
    • QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-728.145.P2.sfs /media/updates
  7. To run the patch installer, type the following command: /media/updates/installer

    NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N)?
     
  8. To continue with the update, type Y to continue.

    NOTE: During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.
     
  9. WARNING: Patch 144249 includes a new version of the WinCollect Configuration Server. If you do not restart the event collection service, agents cannot get new configurations and code updates.
    Perform one of the following tasks:
    1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.
    2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
    3. Abort the patch installation.
  10. The administrators can delete the WinCollect update SFS file from the QRadar Console.
  11. To unmount the SFS file from the Console, type the following command: umount /media/updates
  12. (Optional) If you selected option #2 in Step 9, select Advanced > Restart Web Server on the Admin tab.

Results
Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.

Administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.8.P2 in the Version column. After one hour of time has passed, the administrator can review if any WinCollect agents that still show older agent versions in the QRadar user interface. If the QRadar Console is at QRadar V7.2.8 Patch 7 or later and you are attempting to upgrade from WinCollect V7.2.2-2 to WinCollect V7.2.4, you might be experiencing the upgrade issue outlined here: IV99280.

 

QRadar 7.2 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect V7.2.8.P2 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.

•    DSM-WinCollect-7.2-922053.noarch
•    PROTOCOL-WinCollectMicrosoftISA-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftDNS-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftDHCP-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectNetAppDataONTAP-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftIAS-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectFileForwarder-7.2-20181212142622.noarch
•    AGENT-WINCOLLECT-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectWindowsEventLog-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectJuniperSBR-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftSQL-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectConfigServer-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftExchange-7.2-20181212142622.noarch
•    PROTOCOL-WinCollectMicrosoftIIS-7.2-20181212142622.noarch

QRadar 7.3 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect V7.2.8.P2 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.

  • DSM-WinCollect-7.3-20160908133313.noarch
  • PROTOCOL-WinCollectMicrosoftDNS-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectConfigServer-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftISA-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftExchange-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectJuniperSBR-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftDHCP-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectWindowsEventLog-7.3-20181212142622.noarch
  • AGENT-WINCOLLECT-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftIAS-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftIIS-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectFileForwarder-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectMicrosoftSQL-7.3-20181212142622.noarch
  • PROTOCOL-WinCollectNetAppDataONTAP-7.3-20181212142622.noarch

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 December 2018

UID

ibm10791609

Page Feedback