IBM Support

WinCollect: How to Change or Update the QRadar Appliance that Manages the Agent (updated)

Question & Answer


Question

How can I change the Console or Managed host address to update what appliance manages the WinCollect agent?

Cause

This article can assist with assigning what QRadar appliance manages the WinCollect agent. If the administrator moves or updates the IP address of the Console or the address of the managed host in the deployment that manages a remote WinCollect agent or log sources in the network.

Alternately, administrators can use these instructions to reassign an agent to another QRadar appliance to manage. For performance purposes or EPS license issues, balancing the number of events going to one appliance over the other might be beneficial.

Reminder: Any QRadar appliance version 7.3 that runs ECS-EC-Ingress (the Event Collection Server Ingress) or QRadar version 7.2.8 version that runs ECS-EC (the Event Collection Server) can manage a WinCollect agent. Included is the Console, Event Collectors (15xx), Event Processors (16xx), or combination Event & Flow Processors (18xx) appliances. Data Nodes or HA secondaries cannot manage WinColllect agents.

Answer

How to Assign a WinCollect Agent to Another QRadar Appliance

This procedure is also valid if you changed the IP address of an existing QRadar appliance. As this procedure informs the user how to update the ConfigurationServer= field that defines the appliance address to manage the WinCollect agent. This procedure does not apply to stand-alone WinCollect agents.

NOTE: You must log in as a local administrator to complete the procedure listed. The procedure requires the user to be able to stop and start Services on the Windows™ host.

Procedure
  1. Log in to the Windows™ system that hosts the WinCollect agent.
  2. From the Start menu, select All Programs > Administrative Tools > Services.
  3. From the Services tab, select the WinCollect.
  4. Click Stop.
  5. Navigate to %Program Files\IBM\WinCollect\config% and edit the file install_config.txt.
  6. Modify the value ConfigurationServer=<host name or IP>. As ConfigurationServer= defines what QRadar appliance manages and updates the WinCollect agent. If you use a host name, it must resolve back to an IP address.



    NOTE: Do not alter the ApplicationIdentifier= value in this file. If this value is changed, the QRadar appliance thinks a new agent is trying to register itself.
  7. If you update the ConfigurationServer= field, the administrator also needs change the StatusServer= field to use the same IP address or host name value. Both values need to match.
  8. Save any changes to the install_config.txt file.
  9. Navigate to %Program Files\IBM\WinCollect\config% and rename the file ConfigurationServer.PEM to ConfigurationServer.old.
  10. Start the WinCollect service.



    Results
    After the WinCollect service starts, the agent will establish communications with the new address provided in the ConfigurationServer= field. As the IP address was updated, the first communication to the new WinCollect agent detects that a new PEM file is required and provide it to the agent. Since the PEM file contained the address of the appliance, it was required to rename the existing PEM file to .old. After you verified communication and a new PEM is provided, the ConfigurationServer.old file can be deleted.
      
  
     Visit this link for information on WinCollect Agent Install Errors

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

swg21692904

Page Feedback