Setting an XPath parameter during automated installation

In WinCollect V 7.2.8 and later, you can add an XPath parameter to your command line installer for stand-alone WinCollect agent installations.

1. Convert your XPath to base64 encoding using https://www.base64encode.org/ or another encoding tool.
   For example, this XPath, needed to collect Windows PowerShell logs:

   <QueryList>
   <Query Id="0" Path="Windows PowerShell">
   <Select Path="Windows PowerShell">*</Select>
   </Query>
   </QueryList>

   results in this base64 conversion: PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoPSJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2VsZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+KjwvU2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5TGlzdD4=
2. Add the following code to your command line installer:

   c:\wincollect-7.2.8-91.exe /s /v"/qn STATUSSERVER=<valid IP address> LOG_SOURCE_AUTO_CREATION_ENABLED=True
   LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&
   Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier=%COMPUTERNAME%&
   Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=<valid IP address>&
   Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&
   Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&
   Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&
   Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=2500&
   Component1.CustomQuery.Base64=<base64 Xpath>&
   Component1.EventRateTuningProfile=High+Event+Rate+Server"""

   Note: Replace the following entries with valid IP addresses:

   STATUSSERVER=<valid IP address>
   Component1.Dest.Hostname=<valid IP address>

   STATUSSERVER is the location where the WinCollect agent sends status messages (such as WinCollect service starting or any agent error messages). Component1.Dest.Hostname is the location where the agent sends event logs (such as QRadar EC or Console).

   Note: Replace the following entry with the base64 conversion you created in Step 1:

   Component1.CustomQuery.Base64=<base64 Xpath>

3. Add or remove any of the Components or event logs you want to collect.