Installing a WinCollect agent from the command prompt

For unattended installations, you can install the WinCollect agent from the command prompt. Use the silent installation option to deploy WinCollect agents simultaneously to multiple remote systems.

About this task

The WinCollect installer uses the following command options:

Table 1. Silent installation options for WinCollect agents
Option	Valid entries and description
/qn	Runs the WinCollect agent installation in silent mode.
INSTALLDIR	The installation location for WinCollect. If the installation directory contains spaces, add a backslash before the quotation marks. Example: `INSTALLDIR=\"C:\Program Files\IBM\WinCollect\"`
AUTHTOKEN=token	For managed WinCollect agents only. Uses the previously configured Authorization Token from QRadar® to authorize the managed agent. Example: `AUTH_TOKEN=af111ff6-4f30-11eb-11fb-1fc1 17711111`
FULLCONSOLEADDRESS=host_address	The IP address, host name, or FQDN of the QRadar Console, Event processor, or Event Collector that manages the agent. Examples: `FULLCONSOLEADDRESS=192.0.2.0` `FULLCONSOLEADDRESS=EPqradar` `FULLCONSOLEADDRESS=EPqradar.myhost.com`
HOSTNAME=host name	The Hostname field is used to assign a name to the WinCollect agent. The values that are used in this field can be an identifiable name, hostname, or IP address. In most cases, administrators can use HOSTNAME=%COMPUTERNAME% to auto populate this field. Example: HOSTNAME="windows-%computername%"" HOSTNAME=WindowsSrv1 HOSTNAME=%COMPUTERNAME% The IP address or host name of the WinCollect agent host cannot contain the "at" sign, @.
STATUSSERVER	An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any QRadar Console or any Event Processor or Event Collector in your deployment. Set the value to `Disabled` to send only a heartbeat without status messages. Set the value to `None` if you don't want to send a heartbeat or status messages.
LOG_SOURCE_AUTO_CREATION_ENABLED	Required, `True` or `False` If you enable this option, you must configure the log source parameters. QRadar systems must be updated to V7.2.1 Patch 1 or later.
LOG_SOURCE_AUTO_CREATION_ PARAMETERS	Ensure that each parameter uses the format: `Parameter_Name=value`. The parameters are separated with ampersands, &. Your QRadar system must be updated to V7.2.1 Patch 1 or later.
LOG_MONITOR_SOCKET_TYPE=TCP	This parameter sets the protocol that is used by heartbeat and status messages to be sent by using TCP. The default protocol is UDP. Note: This option is only available in stand-alone WinCollect deployments. Availability for managed agents is planned in a later release of QRadar.
Component1.Action	`create` Creates a new windows event log source during the installation.
Component1.LogSourceIdentifier	The IP address or host name of the system where the agent is installed.
Component1.Destination.Name	The destination name is an alphanumeric value that is used to specify where a WinCollect log source sends event data. This value must be a QRadar appliance capable of receiving event data, such as an Event Processor, Event Collector, or QRadar Console. Important: In managed deployments, the destination must be an "internal destination," and the name must exist in the QRadar user interface before the installation. Otherwise, the log source configuration parameters are discarded and no log sources are automatically created. Internal Destination Managed hosts with an event processor component External Destination Destination that you configured as the WinCollect destination and is not known to the Console as a Managed Host
Component1.Dest.Hostname (Stand alone deployments only)	The IP address or host name where you send WinCollect events.
Component1.Dest.Port (Stand alone deployments only)	The port that WinCollect uses when it communicates with the destination.
Component1.Dest.Protocol (Stand alone deployments only)	`TCP` or `UDP`
Component1.Dest.MaxPayloadSize (Stand alone deployments only)	Maximum payload size sent to the destination (Default values are 1020 UDP and 32000 TCP).
Component1.Log.Security	Required, `True` or `False` The Windows Security log contains events that are defined in the audit policies for the object.
Component1.Log.System	Required, `True` or `False` The Windows System logs can contain information about device changes, device drivers, system changes, events, and operations provided by the operating system.
Component1.Log.Application	Required, `True` or `False` The Windows Application logs contain events that are triggered by software applications instead of the operating system. The logs can contain errors, information, and warning events.
Component1.Log.DNS+Server	Required, `True` or `False` The Windows DNS Server log contains DNS events.
Component1.Log.File+Replication+Service	Required, `True` or `False` The Windows File Replication Service log contains events about changed files that are replicated on the system.
Component1.Log.Directory+Service	Required, `True` or `False` The Windows Directory Service log contains events that are written by the active directory.
Component1.RemoteMachinePollInterval	The polling interval that determines the number of milliseconds between queries to the Windows host. The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.
Component1.EventRateTuningProfile (Managed deployments only)	Select one of the following tuning profiles: Default+(Endpoint) Typical+Server High+Event+Rate+Server For more information, see IBM® Support (http://www-01.ibm.com/support/docview.wss?uid=swg21672193).
Component1.MaxLogsToProcessPerPass (Stand alone deployments only)	Not required. The maximum number of logs (in binary form) that the algorithm attempts to acquire in one pass, if remaining retrievable events exist. Example: `Component1.MaxLogsToProcessPerPass=400` Important: Use this parameter to improve performance for event collection, however, this parameter can also increase processor usage. For more information, see IBM Support (http://www-01.ibm.com/support/docview.wss?uid=swg21672193).
Component1.MinLogsToProcessPerPass (Stand alone deployments only)	Not required. The minimum number of logs (in binary form) that the algorithm attempts to read in one pass, if remaining retrievable events exist. Example: `Component1.MinLogsToProcessPerPass=200` Important: You can use this parameter to improve performance for event collection, but this parameter can also increase processor usage. For more information, see IBM Support (http://www-01.ibm.com/support/docview.wss?uid=swg21672193).
Component1.CoalesceEvents	Not required. Increases the QRadar event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this option is disabled, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value from the System Settings configuration on the Console.
Component1.StoreEventPayload	Not required. Specifies that QRadar event payloads are to be stored.
Component1.Secondary	Not required. Specifies the IP address or Hostname of the Secondary destination that the Agent sends events to if the Primary destination is unreachable and the failover time has elapsed.
Component1.Failover	Not required. Specifies the failover time in seconds. If the primary destination can't be reached, the Agent starts sending events to the Secondary destination.

Attention: You need to run the command prompt as an administrative user.

Procedure

Download the WinCollect agent setup file from the IBM website (www.ibm.com/support).
On the Windows host, open a command prompt by using Run as Administrator.

Important: In managed deployments, the destination name that is used during automatic log source creation must exist before the command-line installation runs. Verify the destination name in the QRadar user interface before you start the installation.

Type the following command:

wincollect-<Version_number>.x64.exe /s /v" /qn 
INSTALLDIR=<”C:\IBM\WinCollect"> 
AUTHTOKEN=<token> FULLCONSOLEADDRESS=<host_address> 
HOSTNAME=<hostname> LOG_SOURCE_AUTO_CREATION=<true|false> 
LOG_SOURCE_AUTO_CREATION_PARAMETERS=<”parameters”””>

The following example shows a silent installation for a Stand alone WinCollect agent.

Important: This example contains line breaks for formatting. The actual command is a single line.

wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files
\IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED=
True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=
DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=
%COMPUTERNAME%-1&Component1.LogSourceIdentifier=
<ip_address>&Component1.Dest.Name=QRadar&Component1
.Dest.Hostname=<ip_address>&Component1.Dest.Port=
514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1
.Log.System=true&Component1.Log.Application=true
&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+
Service=false&Component1.Log.Directory+Service=false&Component1.
RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+
Event+Rate+Server&Component1.MinLogs
ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875"""

The following example shows a silent installation for a managed WinCollect agent.

Important: This example contains line breaks for formatting. The actual command is a single line.

 wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files
\IBM\WinCollect\" AUTHTOKEN=1111111-aaaa-1111-aaaa-11111111
FULLCONSOLEADDRESS=<ip_address:port> HOSTNAME=%COMPUTERNAME%
 LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS
=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create
&Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=
%COMPUTERNAME%&Component1.Log.Security=true&Component1.Log.System=false
&Component1.Log.Application=false&Component1.Log.DNS+Server=false
&Component1.Log.File+Replication+Service=false&Component1.Log.
Directory+Service=false&Component1.Destination.Name=Local&
Component1.RemoteMachinePollInterval=3000&Component1.EventRate
TuningProfile=High+Event+Rate+Server"""

Press Enter.