How To
Summary
This article explains how to determine whether a WinCollect instance is version 10 or 7. For stand-alone instances, users can create a filter in their QRadar Console, while for managed instances, users can find a list in the QRadar Web Console settings, or use the CLI to output a list of instances and their version.
Steps
This technical note contains a video from IBM Helps. Relevant videos are listed with the procedure to guide users:
Stand-alone
Install the IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.0 content pack to get access to the agent version custom property, then use it to build a search that lists your agents' versions. You can read more about this property in the documentation on Security Analytics Self Monitoring extensions.
Procedure
Note: Both managed and stand-alone instances appear in this search.
Create a search to list your agents' versions by filtering on the WinCollect DSM and grouping by the Source IP.
- Install the IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.0 content pack. You can use the following instructions to install a content pack by using Extensions Management.
- From the Log Activity page, run an Advanced Search with the following AQL search query:
SELECT logsourcename(logsourceid) as LogSource, "Agent Version" AS 'Agent Version', "sourceIP" AS 'Source IP', "OS Name" AS 'OS Name' from events where LOGSOURCENAME(logsourceid) ILIKE 'WinCollect%' GROUP BY "sourceIP" order by "Agent Version" desc last 60 minutes
Results
Observe the Agent Version property of each WinCollect instance and use the LogSource or Source IP to identify which agents need updating. The default LogSource name for an instance is WinCollect @ [host name/device name]. If you have multiple Windows machines with the same name and used the default name for the agent during setup, the LogSource name is the same, and you must use the Source IP address to differentiate them.
If you do not see your WinCollect 10 agents, ensure their Status Server setting in enabled by following these steps:- Open the WinCollect 10 administrator console for the unresponsive agent.
- Open the Agent Settings.
- Ensure the Status Server is Enabled.
Managed
There are two methods for finding the version of managed instances, one by using the UI and one by using the CLI. The CLI method is advantageous if you want to pipe the output into other commands, or have many WinCollect instances.
Using the Web Console UI
Procedure
Find your agents' version from the WinCollect Admin Settings.
- Log in to the QRadar Web Console.
- Open the Admin page.
- Open the WinCollect settings.
- Ensure the Agents tab is open.
Results
Observe the Version column.
Using the CLI
Procedure
Use the WinCollectHealthCheck.sh tool to confirm your version.
- SSH in to the QRadar Console.
- Run the WinCollect Health Check script with the Deployment Summary option by using the following command:
/opt/qradar/support/WinCollectHealthCheck.sh -dResults
In the output, refer to the version field for each agent.Refer to the version field of this section:WinCollect Active Agents and Config File Location: Description: Queries the active agents, then gets the list of folders from each managed host's /store/configservices/wincollect/configserver/ folder. Checks the folder for active agents. Agent Name Version Time of last heartbeat Location of Config File SCOTTAWINDOWS10 7.3.1.22 x.x.x.xExample of full output:[root@scotta-qr ~]#/opt/qradar/support/WinCollectHealthCheck.sh WinCollect Deployment Summary WinCollect Versions: id | component_name | module_name | type_name | classificationid | version | protocolid ----+---------------------------+-------------------------+------------+------------------+----------------------+------------ 27 | DeviceMicrosoftIAS | DeviceMicrosoftIAS | DeviceType | 3 | 7.3.1-22 | 47 28 | DeviceFileForwarder | DeviceFileForwarder | DeviceType | 3 | 7.3.1-22 | 41 29 | DeviceMicrosoftExchange | DeviceMicrosoftExchange | DeviceType | 3 | 7.3.1-22 | 81 30 | DeviceJuniperSBR | DeviceJuniperSBR | DeviceType | 3 | 7.3.1-22 | 48 31 | DeviceMicrosoftDNS | DeviceMicrosoftDNS | DeviceType | 3 | 7.3.1-22 | 66 32 | DeviceMicrosoftSQL | DeviceMicrosoftSQL | DeviceType | 3 | 7.3.1-22 | 49 33 | DeviceMicrosoftISA | DeviceMicrosoftISA | DeviceType | 3 | 7.3.1-22 | 46 34 | DeviceMicrosoftIIS | DeviceMicrosoftIIS | DeviceType | 3 | 7.3.1-22 | 44 35 | DeviceMicrosoftDHCP | DeviceMicrosoftDHCP | DeviceType | 3 | 7.3.1-22 | 45 36 | DeviceWindowsLog | DeviceWindowsLog | DeviceType | 3 | 7.3.1-22 | 39 37 | DeviceNetApp | DeviceNetApp | DeviceType | 3 | 7.3.1-22 | 57 1 | AgentCore | AgentCore | Service | 4 | 7.3.1-22 | 2 | InfoRepositoryClient | WinCollectCommon | Service | 3 | 7.3.1-22 | 3 | InfoRepositoryServer | WinCollectCommon | Service | 2 | 7.3.1-22 | 4 | ConnectionFactory | CommunicationAPI | Service | 2 | 7.3.1-22 | 5 | Windows2008EventCollector | Win2K8EventLogSupport | Service | 3 | 7.3.1-22 | 7 | SyslogHeaderStage | DestinationSyslog | StageType | 1 | 7.3.1-22 | 8 | UDPSendStage | DestinationSyslog | StageType | 1 | 7.3.1-22 | 9 | LoggerStage | DestinationFileLogger | StageType | 1 | 7.3.1-22 | 10 | TCPSendStage | DestinationSyslog | StageType | 1 | 7.3.1-22 | 11 | SimpleEventThrottle | Stream | StageType | 1 | 7.3.1-22 | 13 | DestinationManager | WinCollectPlugin | Service | 3 | 7.3.1-22 | 15 | PayloadRouter | Routing | Service | 3 | 7.3.1-22 | 16 | StatisticsServer | Statistics | Service | 3 | 7.3.1-22 | 17 | DiagnosticsEngine | WinCollectCommon | Service | 3 | 7.3.1-22 | 18 | PayloadFactory | WinCollectCommon | Service | 3 | 7.3.1-22 | 19 | FileMonitorFactory | WinCollectMonitor | Service | 3 | 7.3.1-22 | 20 | ParserFactory | WinCollectParser | Service | 3 | 7.3.1-22 | 21 | SecurityManager | Security | Service | 3 | 7.3.1-22 | 22 | LogFileReaderFactory | WinCollectPlugin | Service | 3 | 7.3.1-22 | 23 | DiskManager | WinCollectCommon | Service | 3 | 7.3.1-22 | 24 | PersistenceManager | WinCollectCommon | Service | 3 | 7.3.1-22 | 25 | StoreAndForwardStage | StoreAndForward | StageType | 1 | 7.3.1-22 | 26 | MessageCache | WindowsMessageCache | Service | 3 | 7.3.1-22 | 38 | UNCMachineNameFactory | WinCollectCommon | Service | 3 | 7.3.1-22 | 39 | RegistryCache | WinCollectCommon | Service | 3 | 7.3.1-22 | WinCollect Inactive Agents: Description: Querying the inactive agents, these agents will have a value of true for deleted, or a value of false for enabled or deployed hostname | version | last_heartbeat | deployed | enabled | deleted ----------+----------------------+----------------+----------+---------+--------- ? | N/A | | f | f | t WinCollect Active Agents and Config File Location: Description: Queries the active agents, then gets the list of folders from each managed host's /store/configservices/wincollect/configserver/ folder. Checks the folder for active agents. Agent Name Version Time of last heartbeat Location of Config File SCOTTAWINDOWS10 7.3.1.22 x.x.x.x Count of logsources per managed host Description: Queries the logsources and sums them by their managed host. count | hostname -------+---------- List of logsources for each managed host Description: Queries the managed host and gets their Logsources. The following query results are the log sources for managed host: 'scotta-qr750-3199-13344' count | devicetypedescription | hostname -------+-----------------------+---------- List of logsources for each agent Description: Queries the managed host and gets their Logsources. Querying event log sources for agent @ SCOTTAWINDOWS10 Logsource ID | devicename | 60 Second EPS --------------+------------+--------------- WinCollect Agents per Managed Hosts: Description: During the tuning checks, a count is performed that sums the agents for each managed host Agents Managed Host 1 x.x.x.x WinCollect Tuning Report: Description: Provides an a sum of the channels that are polled by each agent from each WinCollect Log Source. It than divides the sum by the average polling interval. Values between 20-30 channels per second may be overburdened. Agent | Security-Channels | System-Channels | Application-Channels | DNS-Channels | File-Channels | Directory-Channels | Total-Channels | Average-Interval(ms) | Tuning(channels/s) Querying the Xpath Channels per second for each agent Agent | XPath-Channels-per-second SCOTTAWINDOWS10 | 0
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 January 2024
UID
ibm16602313