Hardware and software requirements for the WinCollect 10 host

Ensure that the Windows-based computer that hosts the WinCollect 10 agent meets the minimum hardware and software requirements.

Hardware and virtual machine requirements

The following table describes the minimum hardware requirements for local collection:

Table 1. Hardware or VM requirements for local collection by using WinCollect
Requirement Description
Memory

The WinCollect agent has a small memory footprint. The following numbers were generated on virtual machines (VMs) with two logical cores and 2-4GB of memory.

One Event per second (EPS) or less: 3.5 MB

100 EPS or less: 3.6 MB

2,500 EPS or less: 4.6 MB

5,000 EPS or less: 6 MB
Processor Intel Core i3 or equivalent

Systems were tested on VMs with two cores and 2 - 4 GB of memory.
Available processor resources 0-20%, depending on CPU, EPS, and number of endpoints polled. See the following table for examples.

Very high EPS rates have a direct effect on the Average CPU used by the WinCollect Agent.
Disk space

20 MB for software, plus up to 300 MB for log files.

Up to 6 GB might be required, if you store events to disk.
Note: WinCollect CPU load depends on several factors, including the number of events per second that are being processed.
Note: EPS numbers that are listed refer to the number of events that are processed not the number of events that are sent to QRadar. For example, if the channel being monitored is generating 500 EPS, and has a filter that is enabled on the source that prevents half of the events from being sent to QRadar, treat your EPS as 500 not 250.
Note: Enabling filtering on the agent can increase CPU usage. Different types of filters can have different impacts. For example, doing a text based filter would be more intensive than an ID based filter.

The following table shows resources that are used by WinCollect 10, using the minimum recommended provisioned test environments with various EPS counts.

Table 2. Local Collection - System, Application, Security event logs
Profile OS CPU Memory Average CPU Memory
Low EPS (<1) Windows 10 2 cores 2 GB 0.0% 2.8 MB
Low EPS (<1) Server 2016 2 cores 4 GB 0.0% 4.1MB
Low EPS (<1) Server 2019 2 cores 4 GB 0.0% 3.5 MB
Medium EPS (100) Windows 10 2 cores 2 GB 0.21% 3.0 MB
Medium EPS (100) Server 2016 2 cores 4 GB 0.12% 4.1 MB
Medium EPS (100) Server 2019 2 cores 4 GB 0.10% 3.6 MB
High EPS (5000) Windows 10 2 cores 2 GB 14% 4.7 MB
High EPS (5000) Server 2016 2 cores 4 GB 8% 6.0 MB
High EPS (5000) Server 2019 2 cores 4 GB 9% 5.7 MB
Table 3. Local Collection - WEF Collector. WinCollect 10 running on a WEF collector can support up to 10k EPS. When collecting events at this high of an EPS, run the Agent on a dedicated host.
Profile OS CPU Memory Average CPU Memory
WEF Collector Server 2019 6 cores 16 GB 4.5% 13 MB
Table 4. Remote Collection.
Note: WinCollect CPU and memory loads depend on several factors, including the number of events per second that are being processed and the number of remote endpoints that are being polled.
Profile OS CPU Memory EPS Endpoints polled Average CPU Memory

High EPS / Low Device Count

 Server 2019 8 cores 16 GB 5000 10 7.5% 11 MB

High EPS / Medium Device Count

 Server 2019 8 cores 16 GB 5000 250 4.8% 36 MB

High EPS / High Device Count

 Server 2019 8 cores 16 GB 5000 500 7.1% 60 MB

Software requirements

The following table describes the software requirements:

Table 5. Software requirements
Requirement Description
Operating system

Windows Server 2022 (including Core)

Windows Server 2019 (including Core)

Windows Server 2016 (including Core)

Windows 10

Windows 11

Distribution One WinCollect agent for each Windows host.
Required user role permissions for installation

Administrator, or local administrator
Important: WinCollect is not supported on versions of Windows that are designated end-of-life by Microsoft. After software is beyond the Extended Support End Date, the product might still function as expected. However, IBM® does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For example, Microsoft Windows Server 2003 R2 and Microsoft Windows XP are operating systems that are beyond the "Extended Support End Date." Any questions about this announcement can be discussed in the IBM QRadar® Collecting Windows Events (WMI/ALE/WinCollect) forum. For more information, see https://support.microsoft.com/en-us/lifecycle/search (https://support.microsoft.com/en-us/lifecycle/search).