Hardware and software requirements for the WinCollect host

Verify that the Windows-based computer that hosts the WinCollect agent meets the minimum hardware and software requirements.

Hardware and virtual machine requirements

The following table describes the minimum hardware requirements for local collection:

Table 1. Hardware and VM requirements for local collection by using WinCollect
Requirement Description
Memory

The WinCollect agent has a low memory footprint. The following numbers were generated on virtual machines (VMs) with two Logical cores and 2-4GB of memory.

1 Event per second (EPS) or less: 9 MB

100 EPS or less: 10.5 MB

2,500 EPS or less: 15 MB

5,000 EPS or less: 20 MB

Processor Intel Core i3 or equivalent

Systems were tested on VMs with two Cores and 2 - 4 GB of memory.

Available processor resources 0-35%, depending on CPU, EPS, and number of endpoints polled. See the following table for examples.

High EPS rates have a direct effect on the Average CPU used by the WinCollect Agent.

Disk space

100 MB for software, plus up to 100 MB for files.

Up to 6 GB might be required if you store events to disk.

Note: WinCollect CPU and memory loads depend on several factors, including the number of events per second that are being processed.

The following table shows the resources that are used by WinCollect in testing environments with various hardware configurations and EPS counts.

Table 2. Comparison of tested WinCollect environments (local polling)
Profile Type OS RAM Cores Avg EPS RAM used Avg CPU
Maximum EPS VM Windows 2019 Server 4 GB 2 5,000 20 MB 32%
High EPS VM Windows 2019 Server 4 GB 2 2,500 15 MB 18%
Medium EPS VM Windows 2019 Server 4 GB 2 100 10.5 MB 1.2%
Low EPS VM Windows 2019 Server 4 GB 2 <1 9 MB <1%

Similar results were found when testing Windows 2016 Server.

Lesser provisioned Windows 10 VM yielded similar results.
Table 3.
Profile Type OS RAM Cores Avg EPS RAM used Avg CPU
High EPS VM Windows 10 2 GB 2 2500 11 MB 22%
Medium EPS VM Windows 10 2 GB 2 100 5.5 MB 1.5%
Low EPS VM Windows 10 2 GB 2 <1 5.5 MB <1

The following table describes the minimum hardware requirements for remote collection:

Table 4. Hardware and VM requirements for remote collection by using WinCollect
Requirement Description
Memory

5 endpoints or less: 80 MB

250 endpoints or less: 293 MB

500 endpoints or less: 609 MB

Processor Intel Core i3 or equivalent
Available processor resources Approximately 20%, depending on CPU, EPS, and number of endpoints polled.
Disk space

100 MB for software, plus up to 100 MB for files.

Up to 6 GB might be needed if you store events to disk.

Note: WinCollect CPU and memory loads depend on several factors, including the number of events per second that are being processed and the number of remote endpoints that are being polled.
Table 5. Comparison of tested WinCollect environments (remote polling)
Profile Type OS RAM Cores Endpoints polled Avg EPS RAM used Avg CPU
High EPS Low Device Count VM Windows 2016 Server 12 GB 8 6 3,000 78 MB 6.5%
Medium EPS and Device count VM Windows 2016 Server 12 GB 4 250 2,500 290 MB 14%
High EPS High Device count VM Windows 2016 Server 16 GB 8 500 5,000 605 MB 10.75%

Software requirements

The following table describes the software requirements:

Table 6. Software requirements
Requirement Description
Operating system

Windows Server 2022 (including Core)

Windows Server 2019 (including Core)

Windows Server 2016 (including Core)

Windows 10

Distribution One WinCollect agent for each Windows host.
Required user role permissions for installation

Administrator, or local administrator

Administrative permissions are not needed for remote collection.

Important: WinCollect is not supported on versions of Windows that are designated end-of-life by Microsoft. After the software is beyond the Extended Support End Date, the product might still function as expected. However, IBM® does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For example, Microsoft Windows Server 2003 R2 and Microsoft Windows XP are operating systems that are beyond the "Extended Support End Date." Any questions about this announcement can be discussed in the IBM QRadar® Collecting Windows Events (WMI/ALE/WinCollect) forum. For more information, see https://support.microsoft.com/en-us/lifecycle/search (https://support.microsoft.com/en-us/lifecycle/search).