IBM Support

WinCollect: How to use WinCollectHealthCheck.sh to troubleshoot managed deployments

How To


Summary

WinCollectHealthCheck.sh runs through a series of tests and automated checks to help validate managed WinCollect deployments. The support tool WinCollectHealthCheck allows administrators to report the state of managed WinCollect agents deployed in your network.

Environment

The WinCollectHealthCheck utility reports data from the QRadar Console for managed WinCollect agents. Administrators with stand-alone agents cannot use the WinCollectHealthCheck tool as those agents are not managed or monitored by the QRadar Console.

Steps

Validate your WinCollect deployment.
  1. Use SSH to log in to your QRadar Console as the root user.
  2. Run WinCollectHealthCheck.sh. 
    /opt/qradar/support/WinCollectHealthCheck.sh
    • Example output
      The following is example with one running agent and one unavailable agent: 
      Last Heartbeat Test :
  Passed : There are      1 WinCollect Agents that have a heartbeat within the last 30 minutes
  Failed : There are      1 WinCollect Agents whose last heartbeats are beyond 30 minutes
  Passed : There are      0 WinCollect Agents that have no heartbeat
  Passed : There are      0 WinCollect Agents that have not been deployed
____________________________________
 HeartBeat Test Failed

Version Test :
  Passed : There are      0 WinCollect Agents that are version 7.2.5
  Passed : There are      0 WinCollect Agents that are version 7.2.6
  Passed : There are      0 WinCollect Agents that are version 7.2.7
  Passed : There are      0 WinCollect Agents that are version 7.2.8
  Passed : There are      0 WinCollect Agents that are version 7.2.8 patch 1
  Passed : There are      0 WinCollect Agents that are version 7.2.8 patch 2
  Passed : There are      0 WinCollect Agents that are version 7.2.9
  Passed : There are      0 WinCollect Agents that are version 7.2.9 patch 1
  Passed : There are      0 WinCollect Agents that are version 7.2.9 patch 2
  Passed : There are      0 WinCollect Agents that are version 7.2.9 patch 3
  Passed : There are      0 WinCollect Agents that are version 7.3.0
  Passed : There are      0 WinCollect Agents that are version 7.3.0 patch 1
  Failed : There are      0 WinCollect Agents that are version 7.3.1
____________________________________
 Version Test Failed

LogSource Test :
  Failed : There are      0 Log Sources whose last event times are less than 720 minutes
  Passed : There are      0 Log Sources whose last event times are beyond 720 minutes
____________________________________
 Log Source Test Failed

Status Test :
  Passed : There are      0 WinCollect Agents that are not communicating.
  Passed : There are      1 WinCollect agents running.
  Passed : There are      0 WinCollect Agents in "Stopped"  status.
  Failed : There are      1 WinCollect Agents that are Unavailable.
  Passed : There are      0 Dirty WinCollect Agents.
____________________________________
 Status Test Failed

RPM Test :
  Passed : WinCollect 7.2.5 RPM files were not found
  Passed : WinCollect 7.2.6 RPM files were not found
  Passed : WinCollect 7.2.7 RPM files were not found
  Passed : WinCollect 7.2.8 RPM files were not found
  Passed : WinCollect 7.2.8 Patch 1 RPM files were not found
  Passed : WinCollect 7.2.8 Patch 2 RPM files were not found
  Passed : WinCollect 7.2.9 RPM files were not found
  Passed : WinCollect 7.2.9 Patch 1 RPM files were not found
  Passed : WinCollect 7.2.9 Patch 2 RPM files were not found
  Passed : WinCollect 7.2.9 Patch 3 RPM files were not found
  Passed : WinCollect 7.3.0 RPM files were not found
  Failed : WinCollect 7.3.0 patch 1 RPM files were not found  Failed : WinCollect 7.3.1 RPM files were not found
____________________________________
 RPM Test Failed


====================================
Overall Results : At Least 1 Test Failed
Would you like further information on the components that failed the tests? 
Please answer yes or no :
  3. Type yes for more information on components that failed the tests. Otherwise, type no.
    • Example output 
      Old Last_Heartbeats:
There are heartbeats that have not come in for over 30 minutes, following are query results identifying these agents

 Agent ID |             Agent Name             |       Hostname        |     last_heartbeat      
----------+------------------------------------+-----------------------+-------------------------
        2 | WinCollect @ WINDOWS10-host2 | WINDOWS10-host2 | 2022-07-28 12:07:26.392
(1 row)



WinCollect Inactive Agents:

Description: Querying the inactive agents, these agents will have a value of true for deleted, or a value of false for enabled or deployed
 hostname |       version        | last_heartbeat | deployed | enabled | deleted 
----------+----------------------+----------------+----------+---------+---------
 ?        | N/A                  |                | f        | f       | t

 Status 4 Failure: There are agents that are Unavailable.
										
 id |             Agent Name             |       hostname        |     last_heartbeat      | status 
----+------------------------------------+-----------------------+-------------------------+--------
  2 | WinCollect @ WINDOWS10-host2 | WINDOWS10-host2 | 2022-07-28 12:07:26.392 |      4
(1 row)

RPM Files are not Up to date:
This test failed because the required rpm files were not found or files of an older version were found.
These are your WinCollect Files
PROTOCOL-WinCollectJuniperSBR-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftSQL-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftIAS-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftISA-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftExchange-7.5-20210928014626.noarch
PROTOCOL-WinCollectWindowsEventLog-7.5-20210928014626.noarch
PROTOCOL-WinCollectFileForwarder-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftDHCP-7.5-20210928014626.noarch
DSM-WinCollect-7.4-20210817165702.noarch
PROTOCOL-WinCollectMicrosoftDNS-7.5-20210928014626.noarch
PROTOCOL-WinCollectNetAppDataONTAP-7.5-20210928014626.noarch
PROTOCOL-WinCollectConfigServer-7.5-20210928014626.noarch
PROTOCOL-WinCollectMicrosoftIIS-7.5-20210928014626.noarch

    Result
    Understanding the output:
    Check Description Notes
    Last Heartbeat Test Informs administrators when there is no heartbeat from an agent, the heartbeats are older than 30 mins, or agents are not deployed For agents that do not report heartbeat, review the install_config.txt files on the WinCollect agent. Confirm the IP address or hostname in the ServerStatus field. By default, the install_config.txt file is located in C:\Program Files\IBM\WinCollect\config.
    Version Test Identifies the WinCollect agent version for all managed agents. Administrators can use this test to output a list of all agent versions reporting to QRadar to identify remote hosts that need to be updated to a supported version (N, N-1). You can configure managed agents to update automatically from the Admin > WinCollect settings in your QRadar Console. Updates are enabled by default but can be disabled.
    Log Source Test Identifies the number of log sources that reported event data in the last 720 minutes. All Syslog sources have a default setting in QRadar to check whether an event source reported data. Log sources that do not report events might not have events to report. A good practice is to review those agents to ensure network changes or outages are not blocking events and confirm whether the agent service is running.
    Status Test Passes when all agents are running. Possible agent statuses include running, stopped, and unavailable. Dirty agents are hosts with pending changes, such as a log source update, software update, or configuration change. QRadar tracks pending changes for each agent and updates remote hosts when they call in. Update frequency checks are based on the agent's configuration polling interval, which is set to 10 minutes by default. If you experience issues with managing WinCollect agents contact support.
    RPM Test Passes when the most recent RPM patches are found, and older ones are absent. Administrators with missing RPMs need to mount and install the latest WinCollect SFS file from IBM Fix Central. To download the latest managed WinCollect SFS file, see https://ibm.biz/getwincollect7.

Running a tuning test

You can run a tuning test to see whether the WinCollect deployment is within supported tuning parameters.
  1. Use SSH to log in to your QRadar Console as the root user.
  2. Run the tuning test with the -t option. 
    /opt/qradar/support/WinCollectHealthCheck.sh -t

    Result
    The tuning test runs only on working agents. The test checks for the following:
    • That managed hosts have fewer than 500 agents each
    • That each agent does not have more than 500 log sources
    • That polling channels, divided by their respective polling interval, are less than 30
    • That there are no more than 30 XPath queries and 2 per agent
       
    Example of successful output: 
    Tuning Test :
  Passed : The managed host with the most agents is at X.X.X.X with 1 agents.
  Passed : The agent(s) with the most logsources has     
  Passed : Generating a maximum of  of the 30 supported WinCollect channels per second on a single agent.
  Passed : Generating a maximum of 0 of the 10 supported XPath channels per second on a single agent.
  Passed : Generating a maximum of 0 of the 30 supported channels per second on a single agent.
____________________________________
 Tuning Test Passed
    Learn about tuning profiles by reading WinCollect: Let's Talk About Log Source Event Rates & Tuning Profiles.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 October 2022

UID

ibm16830295

Page Feedback