WinCollect log file

The WinCollect log file provides information about your deployment. Logs provide valuable information for troubleshooting issues.

WinCollect log overview

WinCollect generates log event extended format (LEEF) messages during installation and configuration and writes them to a single log file. The server in the Status Server field receives the LEEF messages through the syslog. These messages report on the status of the WinCollect service, authorization token, configuration, and more.


The following example displays a LEEF message that alerts administrators that the WinCollect agent is generating more events than the log source is tuned for.

<13>Sep 22
09:07:56 IPADDRESS LEEF:1.0|IBM|WinCollect|7.2|3| 
msg=Reopening event log
due to falling too far behind (approx 165 logs skipped). Incoming
EPS r.avg/max =
150.50/200.00. Approx EPS possible with current tuning = 40.00 
For more information, see Log Source Event Rates and Tuning Profiles (

You search for syslog messages by using the IP address of the WinCollect agent. QRadar® tracks information from the audit log to determine when log sources are created, when searches are run, and so on.

WinCollect log types

The default log directory is C:\Program Files\IBM\WinCollect\logs\. The log file is named WinCollect.log.

Each log entry is tagged with an identifier that indicates the entry type:
  • System
  • Code
  • Device
WinCollect log sample

The following table describes the types of log entries in the WinCollect log file.

Table 1. WinCollect log entry types
Log Entry Type Description
System Indicates system information, such as the operating system that the agent is installed on, RAM and CPU information from the operating system, service start-up information, and WinCollect version information.
Code Indicates information about spillover and cache messages, file reader messages, authorization token messages, IP address or host name information for the local host, issues with destinations, log source auto-creation, stand-alone mode messages, and thread or process start-up and shutdown messages. Use these entries to investigate the WinCollect configuration. Code entries do not provide information about event collection.
Device Created when WinCollect collects events, the protocols that run event log collection. The following issues are logged as Device entries:

Loading Plug-in

Connection issues

Permission or Authentication

Windows error codes (hex value codes provided by the operating system, such as 0x000005 access denied)

File path or location

Event log is overdue to be polled

Event log transactions

RPC is unavailable (unable to find the location that you specified)

Reopening due to falling too far behind (tuning messages)

Disk space management for log files

WinCollect manages disk space for logs by generating a "_1" version when the log size exceeds 20 MB. After a "_5" version is created, WinCollect deletes the oldest version of the log.

WinCollect also manages disk space by archiving checkpoint folders. When QRadar updates WinCollect with new code, the checkpoint folders store a backup of the replaced code. WinCollect archives the oldest patch checkpoint folder after 10 are created. WinCollect creates an archive folder that contains a list of files in the patch checkpoint folder, and a compressed file of the AgentConfig.xml file. WinCollect then deletes the patch checkpoint folder that it archived.