To manage a deployment of WinCollect
agents from the QRadar® user
interface, you must first upgrade your QRadar Console to a supported
version of WinCollect by using the WinCollect Agent SFS Bundle. This bundle includes
the required protocols to enable communication between QRadar and the managed WinCollect agents on the Windows hosts. Both the QRadar Console and managed WinCollect agents can be upgraded to newer versions
of WinCollect by installing the newer version of
SFS Bundle on the QRadar
console.
About this task
Important:
- For information about upgrading WinCollect
versions v7.0 through v7.2.2, see www.ibm.com/support (http://www-01.ibm.com/support/docview.wss?uid=swg21698127).
- If WinCollect v7.2.6 or newer is installed
on the QRadar Console, and
then you upgrade QRadar from
v7.2.8 to v7.3.0 or newer, the version of WinCollect on QRadar reverts to v7.2.5. The
managed WinCollect agents that are running on
your Windows hosts remain at their current version and
continue to send events to QRadar using their existing
configuration information. However, they no longer receive code or configuration updates. You must
reinstall a version of the WinCollect Agent SFS
Bundle that is the same as or newer than your current agents' version on your QRadar Console after the QRadar upgrade.
After you upgrade a QRadar
Console, the managed WinCollect agents that are
enabled to receive automatic updates automatically upgrade to the new version of WinCollect at the next configuration polling
interval. If new WinCollect agent files are
available for download, the agent downloads, installs updates, and restarts required services. No
events are lost when you update your WinCollect
agent because events are buffered to disk. Event collection forwarding continues when the WinCollect service on the Windows host restarts.
Important: If you reinstall QRadar on your Console, you must
delete this file on any existing WinCollect agent installations before WinCollect can function properly: Program
Files/IBM/WinCollect/config/ConfigurationServer.PEM
Procedure
-
Download the WinCollect Agent SFS Bundle
installation file from the IBM® website: (http://www.ibm.com/support).
Note: The installation process restarts services on the Console, which creates a gap in event
collection until services restart. Schedule the WinCollect upgrade during a maintenance window to
avoid disrupting users.
- Use SSH to log in to the QRadar Console as the root
user.
- For initial installations, create the /storetmp and
/media/updates directories if they do not exist. Type the following commands:
mkdir /media/updates
mkdir /storetmp
- Using a program such as WinSCP, copy the downloaded SFS file to
/storetmp on your QRadar Console.
- To change to the /storetmp directory, type the following command:
cd /storetmp
- To mount the SFS file, type the following command:
mount -t squashfs -o loop
<Installer_file_name.sfs> /media/updates
Example: mount -t squashfs -o loop
730_QRadar_wincollectupdate-7.3.0-24.sfs /media/updates
- To run the WinCollect installer, type
the following command and then follow the prompts:
/media/updates/installer
Note: To proceed with the WinCollect Agent update you must restart services on QRadar to apply
protocol updates. The following message is
displayed:
WARNING: Services need to be shutdown in order to apply patches.
This will cause an interruption to data collection and correlation.
Do you wish to continue (Y/N)?
- Type Y to continue with the update.
During the update,
the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the
upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the
installer again, the patch installation resumes. After the installation is complete, services are
restarted, and the user interface is available.
Note: During installation, the following message is
displayed:
Patch 144249
This patch includes a new version of the WinCollect Configuration Server.
For this new version to run properly, the event collection service needs to be restarted.
If you choose to not restart the service, agents cannot get new configurations and code updates until you restart it.
Choices:
1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.
2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
3. Abort patch.
After
you choose an option, the patch installation continues. When it is complete, press the Enter key to
exit the patch screen.
- If you selected the second option in step 8, you must perform the following steps:
- In the QRadar admin
settings, click .
- In the QRadar admin
settings, click .
- To unmount the SFS file from the Console, type the following command:
umount
/media/updates
- Optional: Verify that WinCollect agents are configured to accept remote
updates:
- Log in to QRadar.
- On the navigation menu, click Data Sources.
- Click the WinCollect
icon.
- Review the Automatic Updates Enabled column and select WinCollect agents that have a False
value.
- Click Enable/Disable Automatic Updates.
Results
Managed WinCollect agents with automatic
updates enabled are updated and restarted. The amount of time it takes a managed agent to update
depends on the configuration polling interval for the agent and the speed of the network connections
between the Console and the agent.