Overview
Stand-Alone WinCollect 7.2.8 allows you to make changes to the Agent configuration (agentconfig.xml) using “Templates”.  Templates  essentially allow you to make changes to the Agents configuration without having to manually change the Agentconfig.xml either manually or via script.   When templates are copied to the WinCollect patch folder the Agent will be pick up and replace the existing configuration with the template.  The Agent will then make a backup of the current configuration in the patch checkpoint folder and then restart the Agent.

Templates
Currently there are 4 sample templates installed with WinCollect 7.2.8 which are stored in \IBM\WinCollect\templates

  • tmplt_AgentCore.xml
  • tmplt_DestinationManager.xml
  • tmplt_DeviceWindowsLog.xml
  • tmplt_PayloadRouter.xml

These templates are examples only, all agent config service modules are supported therefore you can create your own templates (see example below)

Use Case
Customer requests that they want to change the Heart Beat Interval from 5 minutes to 1hr on all of their deployed systems.  In prior versions this would require direct manual or scripted changes to the agentconfig.xml and a WinCollect service restart

With Templates this can be accomplished by performing the following;

Locate the service that handles the Heart beat interval.  The service that handles the heartbeat is the “AgentCore”, in particular the HeartbeatInterval, is contained in the tmplt_AgentCore.xml template

 

<Service classification="Static" type="Service" version="7.2.8" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="300000"/>
			<Parameter name="ConfigurationCheckInterval" value="300000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>


Make a copy of the template and name it service_AgentCore.xml
Update the HeartbeatInterval to 1 hr
60minutes = 3600000 milliseconds

 

<Service classification="Static" type="Service" version="7.2.8" module="AgentCore" name="AgentCore">
		<Environment>
			<Parameter name="HeartbeatInterval" value="3600000"/>
			<Parameter name="ConfigurationCheckInterval" value="300000"/>
			<Parameter name="Enabled" value="true"/>
			<Parameter name="Deleted" value="false"/>
		</Environment>
	</Service>


Drop the file into the WinCollect patch folder \IBM\WinCollect\patch.
After a few seconds the file will disappear and the Agent will restart.
The old agentconfig.xml will now appear in backup folder (patch_checkpoint_XXXX).  This provides a backup incase you need to revert to the prior agent configuration

The Agent will restart on it’s own and you will now have the configuration that you provided in the service template.

Use Case 2
Customer would like to modify the location and capacity of the event data which is stored in \programdata\WinCollect.  They want to now store the event data in “c:\ibm” and change the capacity to 20GB.

Their is no default template for this, but we can easily create one looking at the AgentConfig.xml

Existing Service

<Service classification="Service" type="Service" version="7.2.8" module="WinCollectCommon" name="DiskManager">
		<Environment>
			<Parameter name="BasePath" value="%ALLUSERSPROFILE%\WinCollect\Data"/>
			<Parameter name="Capacity" value="6144"/>
		</Environment>
	</Service>

NOTE:  %ALLUSERSPROFILE% is an environment variable
Environment variable C:\ProgramData

We want to change this to C:\IBM\WinCollect\Data

Looking at the xml we can see that the name of this service is “DiskManager”
Create an xml named service_DiskManager.xml with the contents above and make necessary changes to the path and capacity

 

<Service classification="Service" type="Service" version="7.2.8" module="WinCollectCommon" name="DiskManager">
		<Environment>
			<Parameter name="BasePath" value="c:\ibm\WinCollect\Data"/>
			<Parameter name="Capacity" value="20480"/>
		</Environment>
	</Service>


Same as before, drop the file in the patch folder.  The agent will pickup the change and apply the new configuration and restart the Agent.  Once the changes are applied by the Agent, it will now be writing book-marks and event data (if it can’t reach QRadar) to the new folder.

Use Case 3 – Send TCP vs. UDP
Customer Syslog destination as UDP but now wants to send Syslog to QRadar as TCP.  This flag is controlled in the DestinationManager

 

<Service version="7.2.8" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
	<Environment/>
	<InstanceData>
		<Instance name="QRadar">
			<Environment/>
			<Module order="1" service_name="StoreAndForwardStage">
				<Environment>
					<Parameter name="DataChunkPeriod" value="10"/>
					<Parameter name="DataProcessingPeriod" value="500000"/>
					<Parameter name="QueueLowWaterMark" value="750000"/>
					<Parameter name="QueueHighWaterMark" value="1000000"/>
					<Parameter name="Schedule.Enable" value="true"/>
					<Parameter name="Schedule.Invert" value="false"/>
					<Parameter name="Socket.KeepAlive.Enabled" value="true"/>
					<Parameter name="Socket.KeepAlive.Time" value="30000"/>
					<Parameter name="Socket.KeepAlive.Interval" value="4000"/>
				</Environment>
			</Module>
			<Module order="2" service_name="SimpleEventThrottle">
				<Environment>
					<Parameter name="EventThrottleInEPS" value="5000"/>
				</Environment>
			</Module>
			<Module order="3" service_name="SyslogHeaderStage">
				<Environment/>
			</Module>
			<Module order="4" service_name="UDPSendStage">
				<Environment>
					<Parameter name="TargetAddress" value="172.18.X.X"/>
					<Parameter name="TargetPort" value="514"/>
				</Environment>
			</Module>
		</Instance>
	</InstanceData>
</Service>


Change the service_name for module (order 4) to UDPSendStage to TCPSendStage

 

<Service version="7.2.8" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager">
	<Environment/>
	<InstanceData>
		<Instance name="QRadar">
			<Environment/>
			<Module order="1" service_name="StoreAndForwardStage">
				<Environment>
					<Parameter name="DataChunkPeriod" value="10"/>
					<Parameter name="DataProcessingPeriod" value="500000"/>
					<Parameter name="QueueLowWaterMark" value="750000"/>
					<Parameter name="QueueHighWaterMark" value="1000000"/>
					<Parameter name="Schedule.Enable" value="true"/>
					<Parameter name="Schedule.Invert" value="false"/>
					<Parameter name="Socket.KeepAlive.Enabled" value="true"/>
					<Parameter name="Socket.KeepAlive.Time" value="30000"/>
					<Parameter name="Socket.KeepAlive.Interval" value="4000"/>
				</Environment>
			</Module>
			<Module order="2" service_name="SimpleEventThrottle">
				<Environment>
					<Parameter name="EventThrottleInEPS" value="5000"/>
				</Environment>
			</Module>
			<Module order="3" service_name="SyslogHeaderStage">
				<Environment/>
			</Module>
			<Module order="4" service_name="TCPSendStage">
				<Environment>
					<Parameter name="TargetAddress" value="172.18.X.X"/>
					<Parameter name="TargetPort" value="514"/>
				</Environment>
			</Module>
		</Instance>
	</InstanceData>
</Service>


Create an xml named service_DestinationManager.xml with the contents above.

Use Case 4 – Add NSA Filtering to an existing log source

Existing Log Source

 

<Service version="7.2.8" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog">
	<Environment>
		<Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/>
		<Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/>
		<Parameter name="MinEventMonitorThreads" value="5"/>
		<Parameter name="MaxEventMonitorThreads" value="250"/>
		<Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/>
		<Parameter name="DefaultThrottleTimeout" value="1500"/>
		<Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/>
	</Environment>
	<InstanceData>
		<Instance enabled="true" name="EventLogLocal">
			<Environment>
				<Parameter name="DeviceAddress" value="DESKTOP"/>
				<Parameter name="RemoteMachine" value="DESKTOP"/>
				<Parameter name="Filter.DNS Server.Enabled" value="false"/>
				<Parameter name="EventTypeFilterFailureAudit" value="true"/>
				<Parameter name="EventLogPollProtocol" value="MSEVEN6"/>
				<Parameter name="Log.Security" value="true"/>
				<Parameter name="Filter.Application.Enabled" value="false"/>
				<Parameter name="ADLookup.Enabled" value="false"/>
				<Parameter name="ThrottleTimeout" value="1000"/>
				<Parameter name="Filter.DNS Server.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Enabled" value="false"/>
				<Parameter name="Filter.Application.Type" value="No Filtering"/>
				<Parameter name="Filter.Directory Service.Param" value=""/>
				<Parameter name="Log.Application" value="true"/>
				<Parameter name="Filter.System.Type" value="No Filtering"/>
				<Parameter name="Filter.DNS Server.Type" value="No Filtering"/>
				<Parameter name="Filter.Application.Param" value=""/>
				<Parameter name="Filter.System.Param" value=""/>
				<Parameter name="Log.Directory Service" value="false"/>
				<Parameter name="ADLookup.DomainControllerName" value=""/>
				<Parameter name="Log.File Replication Service" value="false"/>
				<Parameter name="Filter.Directory Service.Enabled" value="false"/>
				<Parameter name="CustomQuery.Base64" value=""/>
				<Parameter name="Filter.Security.Param" value=""/>
				<Parameter name="EventRateTuningProfile" value="High Event Rate Server"/>
				<Parameter name="Local.System" value="true"/>
				<Parameter name="EventTypeFilterError" value="true"/>
				<Parameter name="EventTypeFilterWarn" value="true"/>
				<Parameter name="EventTypeFilterInfo" value="true"/>
				<Parameter name="Filter.File Replication Service.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Type" value="No Filtering"/>
				<Parameter name="EventTypeFilterSuccessAudit" value="true"/>
				<Parameter name="Filter.Directory Service.Type" value="No Filtering"/>
				<Parameter name="Filter.Security.Type" value="No Filtering"/>
				<Parameter name="Application" value="None"/>
				<Parameter name="Log.System" value="true"/>
				<Parameter name="Log.ForwardedEvents" value="false"/>
				<Parameter name="Filter.Security.Enabled" value="false"/>
				<Parameter name="Filter.System.Enabled" value="false"/>
				<Parameter name="Log.DNS Server" value="false"/>
				<Parameter name="ADLookup.DNSDomainName" value=""/>
				<Parameter name="RemoteMachinePollInterval" value="3000"/>
				<Parameter name="MinLogsToProcessPerPass" value="1250"/>
				<Parameter name="MaxLogsToProcessPerPass" value="1825"/>
				<Parameter name="Login.Handle" value="0"/>
			</Environment>
		</Instance>
	</InstanceData>
</Service>


Modify the following lines

 

<Parameter name="Filter.System.Type" value="NSAlist"/>
<Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/>
<Parameter name="Filter.System.Enabled" value="true"/>


Save to service_DeviceWindowsLog.xml and drop in the patches folder.

<Service version="7.2.8" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog">
	<Environment>
		<Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/>
		<Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/>
		<Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/>
		<Parameter name="MinEventMonitorThreads" value="5"/>
		<Parameter name="MaxEventMonitorThreads" value="250"/>
		<Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/>
		<Parameter name="DefaultThrottleTimeout" value="1500"/>
		<Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/>
	</Environment>
	<InstanceData>
		<Instance enabled="true" name="EventLogLocal">
			<Environment>
				<Parameter name="DeviceAddress" value="DESKTOP"/>
				<Parameter name="RemoteMachine" value="DESKTOP"/>
				<Parameter name="Filter.DNS Server.Enabled" value="false"/>
				<Parameter name="EventTypeFilterFailureAudit" value="true"/>
				<Parameter name="EventLogPollProtocol" value="MSEVEN6"/>
				<Parameter name="Log.Security" value="true"/>
				<Parameter name="Filter.Application.Enabled" value="false"/>
				<Parameter name="ADLookup.Enabled" value="false"/>
				<Parameter name="ThrottleTimeout" value="1000"/>
				<Parameter name="Filter.DNS Server.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Enabled" value="false"/>
				<Parameter name="Filter.Application.Type" value="No Filtering"/>
				<Parameter name="Filter.Directory Service.Param" value=""/>
				<Parameter name="Log.Application" value="true"/>
				<Parameter name="Filter.DNS Server.Type" value="No Filtering"/>
				<Parameter name="Filter.Application.Param" value=""/>
				<Parameter name="Filter.System.Type" value="NSAlist"/>
				<Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/>
				<Parameter name="Filter.System.Enabled" value="true"/>
				<Parameter name="Log.Directory Service" value="false"/>
				<Parameter name="ADLookup.DomainControllerName" value=""/>
				<Parameter name="Log.File Replication Service" value="false"/>
				<Parameter name="Filter.Directory Service.Enabled" value="false"/>
				<Parameter name="CustomQuery.Base64" value=""/>
				<Parameter name="Filter.Security.Param" value=""/>
				<Parameter name="EventRateTuningProfile" value="High Event Rate Server"/>
				<Parameter name="Local.System" value="true"/>
				<Parameter name="EventTypeFilterError" value="true"/>
				<Parameter name="EventTypeFilterWarn" value="true"/>
				<Parameter name="EventTypeFilterInfo" value="true"/>
				<Parameter name="Filter.File Replication Service.Param" value=""/>
				<Parameter name="Filter.File Replication Service.Type" value="No Filtering"/>
				<Parameter name="EventTypeFilterSuccessAudit" value="true"/>
				<Parameter name="Filter.Directory Service.Type" value="No Filtering"/>
				<Parameter name="Filter.Security.Type" value="No Filtering"/>
				<Parameter name="Application" value="None"/>
				<Parameter name="Log.System" value="true"/>
				<Parameter name="Log.ForwardedEvents" value="false"/>
				<Parameter name="Filter.Security.Enabled" value="false"/>
				<Parameter name="Log.DNS Server" value="false"/>
				<Parameter name="ADLookup.DNSDomainName" value=""/>
				<Parameter name="RemoteMachinePollInterval" value="3000"/>
				<Parameter name="MinLogsToProcessPerPass" value="1250"/>
				<Parameter name="MaxLogsToProcessPerPass" value="1825"/>
				<Parameter name="Login.Handle" value="0"/>
			</Environment>
		</Instance>
	</InstanceData>
</Service>

 

Join The Discussion

Your email address will not be published. Required fields are marked *