WinCollect log file
The WinCollect log file provides information about your deployment. Logs provide valuable information for troubleshooting issues.
WinCollect log overview
WinCollect generates log event extended format (LEEF) messages during installation and configuration and writes them to a single log file. The server in the Status Server field receives the LEEF messages through the syslog. These messages report on the status of the WinCollect service, authorization token, configuration, and more.
The following example displays a LEEF message that alerts administrators that the WinCollect agent is generating more events than the log source is tuned for.
For more information, see Log Source Event Rates and Tuning Profiles (http://www.ibm.com/support/docview.wss?uid=swg21672193).
<13>Sep 22 09:07:56 IPADDRESS LEEF:1.0|IBM|WinCollect|7.2|3|src=MyHost.example.com dst=10.10.10.10 sev=4 log=Device.WindowsLog.EventLog.MyHost.example.com.System.Read msg=Reopening event log due to falling too far behind (approx 165 logs skipped). Incoming EPS r.avg/max = 150.50/200.00. Approx EPS possible with current tuning = 40.00
You search for syslog messages by using the IP address of the WinCollect agent. QRadar® tracks information from the audit log to determine when log sources are created, when searches are run, and so on.
WinCollect log types
The default log directory is C:\Program Files\IBM\WinCollect\logs\. The log file is named WinCollect.log.
The following table describes the types of log entries in the WinCollect log file.
|Log Entry Type||Description|
|System||Indicates system information, such as the operating system that the agent is installed on, RAM and CPU information from the operating system, service start-up information, and WinCollect version information.|
|Code||Indicates information about spillover and cache messages, file reader messages, authorization token messages, IP address or host name information for the local host, issues with destinations, log source auto-creation, stand-alone mode messages, and thread or process start-up and shutdown messages. Use these entries to investigate the WinCollect configuration. Code entries do not provide information about event collection.|
|Device||Created when WinCollect collects events,
the protocols that run event log collection. The following issues are logged as Device
Permission or Authentication
Windows error codes (hex value codes provided by the operating system, such as 0x000005 access denied)
File path or location
Event log is overdue to be polled
Event log transactions
RPC is unavailable (unable to find the location that you specified)
Reopening due to falling too far behind (tuning messages)
Disk space management for log filesWinCollect manages disk space for logs by generating a "_1" version when the log size exceeds 20 MB. After a "_5" version is created, WinCollect deletes the oldest version of the log.
WinCollect also manages disk space by archiving checkpoint folders. When QRadar updates WinCollect with new code, the checkpoint folders store a backup of the replaced code. WinCollect archives the oldest patch checkpoint folder after 10 are created. WinCollect creates an archive folder that contains a list of files in the patch checkpoint folder, and a compressed file of the AgentConfig.xml file. WinCollect then deletes the patch checkpoint folder that it archived.