Troubleshooting
Problem
After the replacement of the QRadar certificate with a newly created self-signed certificate, errors are displayed in the IBM WinCollect 10 Agent logs and no events are sent to the QRadar Console.
Diagnosing The Problem
This issue can be seen in the following circumstances:
- Initial setup of IBM WinCollect 10 Agent.
- Replacing an existing certificate, when the certificate is about to expire.
Steps to Reproduce:
- Install IBM WinCollect 10 agent.
- Create a TLS destination on the QRadar Console with the generated certificate type
- Add a TLS destination to the IBM WinCollect 10 agent with the generated PEM file configured into QRadar.
- Generate a new self-signed certificate by completing the following instructions.
https://www.ibm.com/support/pages/qradar-tls-syslog-support-der-encoded-pkcs8-custom-certificates - IBM WinCollect 10 agent connects and Logs are seen in the QRadar Console.
- Replace the destination's certificate with a new self-signed certificate. Errors are displayed in the IBM WinCollect 10 Agent logs and no events are sent to the QRadar Console.
Resolving The Problem
Note: Customers running IBM WinCollect Agents 10.0.1 and 10.0.2 are advised to complete a manual restart of the IBM WinCollect service after the replacement of the certificate.
Restarting the IBM WinCollect 10 Agent service clears the old certificate from the cache and loads the newly created certificate, and establishes a secure connection between the IBM WinCollect 10 Agent and the QRadar Console.
There are 3 locations where the IBM WinCollect Agents service can be restarted:
IBM WinCollect Agent GUI
Windows Operating System GUI
Powershell Command Line
To restart the IBM WinCollect service (IBM WinCollect Agent GUI)
- Click the Microsoft Start
Button
, select IBM WinCollect 10, then click IBM WinCollect 10 Console. - From the console screen, you can see the status of the IBM WinCollect 10 service.
- Click 'Service is running' and then click
Restart
.
To restart the IBM WinCollect service (Windows Operating System GUI)
- On the Server Manager window
click
Tools, and select Services. - Scroll down and highlight the IBM WinCollect service, then click the
Restart Service Button.
To restart the IBM WinCollect Agents service (Powershell Command Line)
Button
and Select the option 'Windows Powershell (Admin)'.
Right-click the Windows Start - To Stop the IBM WinCollect service run the command
net stop wincollect
- To Start the IBM WinCollect service run the following command.
net start wincollect
Resolution
This issue is resolved in WinCollect version 10.1.1.
This issue is resolved in WinCollect version 10.1.1.
Listed in the Bug fixes and improvements section.
Fixed an issue where the agent caches PEM files that are removed from the config until the service is restarted.
Customers experiencing this issue should upgrade WinCollect to version 10.1.1 or Later.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 August 2023
UID
ibm16618391