Overview

In WinCollect 7.2.8 we added the ability to set just about any parameter in the cmd line install.  In Prior releases only the parameters available in the UI install were available in the cmd line install.  Now in WinCollect 7.2.8 any parameter that’s part of the AgentConfig.xml (i.e. Xpath) can be set as part of the cmd line install.

NOTE:  You can also set Agent Core parameters as well such as the Heart beat interval and configuration poll interval.

Use Case – Windows Applications and Services Event Logs (Xpath)

Configure WinCollect to collect Windows PowerShell Event Logs along with standard event logs.

Xpath –  see the following blog

Use Case Change Heart Beat and Configuration Polling Interval

Customer wants to change how often WinCollect checks in with QRadar for a code update (ConfigurationCheckInterval) and also how often it sends a heart beat message.

These parameters (HeartbeatInterval and ConfigurationCheckInterval) are set in the AgentCore section of the AgentConfig.xml

<Service classification="Static" type="Service" version="7.2.8" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="3600000"/>
			<Parameter name="ConfigurationCheckInterval" value="900000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>

The following values can be used in the cmd line install (change heartbeat to 60 minutes and config poll to 15 minutes from the default of 5 minutes). Values measured in ms.

Component1.HeartbeatInterval=3600000
Component1.ConfigurationCheckInterval=900000

Example

IF EXIST "%PROGRAMFILES(X86)%" (set bit=x64) ELSE (set bit=x86)
C:\WinCollectInstall\wincollect-7.2.8-9999.%bit%.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.HeartbeatInterval=3600000&Component1.ConfigurationCheckInterval=900000&Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server"""

Use Case NSA Filtering

See the following blog how to set NSA filtering in the cmd line install

Join The Discussion

Your email address will not be published. Required fields are marked *