IBM Support

Wincollect Agent error message: 'configuration file fingerprints don't match'

Troubleshooting


Problem

The error message:  'WinCollect Agent mismatch. RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match' is generated when a version mismatch exists between the QRadar Console and a managed WinCollect agent. Administrators who experience this error message can confirm software versions are identical between their QRadar appliance and managed WinCollect agents.

Cause

The WinCollect version on the QRadar Console displays a different version than what is installed on the Windows host and generates an error. In most cases, this is due to the Windows hosts being updated using the EXE. There are two methods to confirm the error message:

 
  1. To view error messages from an individual agent, administrators can select the QRadar Admin tab and click the WinCollect icon. Select your agent and click Show Events to display all log activity search for all status messages from the WinCollect agent sorted by newest event. Status messages from the WinCollect agent will include information, warning, and error messages from the selected WinCollect agent.
     
  2. Administrators who have access to the remote Windows host should verify the following message in C:\Program Files\IBM\WinCollect\WinCollect.log
    INFO SRV.System.WinCollectSvc.Service : Config change (or patch) detected on configuration server. Attempting to download and extract...
    INFO SRV.Code.ConfigurationPatchStrategy : Retrieving Configuration Update
    ERROR SRV.Code.ConfigurationPatchStrategy : RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match, exp:[FINGERPRINT INFORMATION]  act:[FINGERPRINT INFORMATION] 
    WARN SRV.System.WinCollectSvc.Service : Config change (or patch) download failed validation. Not applying.

Diagnosing The Problem

To verify the version of WinCollect is installed in QRadar, use one of the following procedures based on your installation type:

For Managed WinCollect agents

  1. From the Console command line as root user type: /opt/qradar/support/WinCollectHealthCheck.sh -d
    image-20190626165245-2
    Figure 1: Output displays information on the WinCollect software installed on the Console. AgentCore is the WinCollect application in QRadar.

  2. Compare this to the version list for all managed WinCollect Agents from the WinCollectHealthSummary utility or to the version list in the user interface:
    Agent Name          Version            Time of last heartbeat         Location of Config File
    LAPTOP-N1002211     7.2.9.72           2019-05-29 14:34:53.102        192.168.0.80
    LAPTOP-A9354424     7.2.9.72           2019-05-29 14:34:52.912        192.168.0.80
    LAPTOP-LALM1223     7.2.9.72           2019-05-29 14:34:54.932        192.168.0.80
    LAPTOP-GAL22392     7.2.9.72           2019-05-29 14:34:53.906        192.168.0.80

  3. Optional. Administrators can use the agent list from the user interface to verify their WinCollect agent versions (Admin tab > WinCollect).
    image-20190524150810-2
    Figure 2: Review the Version column to determine the software version for a WinCollect agent to determine if it differs from the AgentCore version listed.

    Results
    Administrators should note the version difference between the Console install 7.2.8-145 and the version on the Windows hosts 7.2.9-72. If there are version differences, fingerprint error messages can be displayed in logs and status events. The administrator will need to ensure that the software versions match is resolved to prevent future errors.


 

Resolving The Problem

To resolve this issue, download the latest WinCollect Agent SFS package and install it on the QRadar Console. A maintenance window should be scheduled before you begin a WinCollect upgrade. Depending on your version, services might be required to restart to complete the install, which will interrupt event collection from all event sources.
 
  1. Download the latest WinCollect SFS file from IBM Fix Central.
  2. Using SSH, log in to your Console as the root user. The SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.
  3. Copy the WinCollect SFS file to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as the /storetmp directory on QRadar 7.3.x Consoles.
  4. To verify that the mount point /media/updates exists, type: mkdir -p /media/updates
  5. To mount the SFS file, type the command for your QRadar version:
    • QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-<version>.sfs /media/updates
    • QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-<version>.sfs /media/updates
  6. Install the WinCollect SFS file: /media/updates/installer
    NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. The following message is displayed:
    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.
    Do you wish to continue (Y/N)?
  7. To continue with the update, type Y to continue.
  8. When the update completes, remove the mounted SFS file with the following command: umount /media/updates

    Results
    Administrators should verify if any agents have automatic updates disabled. WinCollect agents that have the Automatic Updates Enabled column as 'False' will need to click the Enable/Disable Automatic Updates button in the WinCollect user interface to set the Automatic Update Enabled status to 'True'. Software updates for managed agents are only allowed to send software updates to remote Windows hosts when Automatic Updates Enabled displays 'True'.

     

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
03 November 2021

UID

ibm10884596

Page Feedback