IBM Support

IJ27857: WINDOWS 10 HOSTS UPDATED TO BUILD 2004 CAN RESET EVENTRECORDID VALUES TO 1 CAUSING WINCOLLECT ISSUES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WinCollect agents installed on Microsoft Windows 10 hosts
    upgraded to build 2004 can experience an issue where the
    WinCollect agent stops sending events to QRadar. The issue was
    reported after administrators completed updates of Windows 10
    from build 1909 to 2004.
    
    WinCollect agents track event
    collection with the EventRecordID value in the Event Viewer for
    each event type in
    C:\ProgramData\WinCollect\Data\PersistenceManager. The
    PersistenceManager directory includes a file for each event log
    type with a cursor entry, which indicates the next event in the
    Event Viewer WinCollect needs to parse and send. When Windows
    updates to Windows 10 build 2004, the operating system resets
    the EventRecordID values to 1 in the Event Viewer for all event
    log types. A reset in the EventRecordID results in WinCollect
    agents not sending events until the EventRecordID in the Event
    Viewer matches the last polled Cursor value in the WinCollect
    agent.
    This APAR is intended to alert administrators of this
    operating systems change in Windows 10 Feature Build 2004. All
    WinCollect agents at all versions are affected by the
    EventRecordID reset issue in Windows 10 build 2004.
    Administrators who plan to update the Windows 10 systems to
    feature build 2004 ought to alert their teams to this
    EventRecordID reset issue.
    

Local fix

  • Workaround
    
    1. Log in to the Windows host with the WinCollect
    agent.
    2. Stop the WinCollect service.
    3. Navigate to
    C:\ProgramData\WinCollect\Data\PersistenceManager.
    4. Delete
    all files in the PersistenceManager directory.
    5. Start the
    WinCollect service.
    

Problem summary

  • WinCollect agents installed on Microsoft Windows 10 hosts
    upgraded to build 2004 can experience an issue where the
    WinCollect agent stops sending events to QRadar. The issue was
    reported after administrators completed updates of Windows 10
    from build 1909 to 2004.
    
    WinCollect agents track event
    collection with the EventRecordID value in the Event Viewer for
    each event type in
    C:\ProgramData\WinCollect\Data\PersistenceManager. The
    PersistenceManager directory includes a file for each event log
    type with a cursor entry, which indicates the next event in the
    Event Viewer WinCollect needs to parse and send. When Windows
    updates to Windows 10 build 2004, the operating system resets
    the EventRecordID values to 1 in the Event Viewer for all event
    log types. A reset in the EventRecordID results in WinCollect
    agents not sending events until the EventRecordID in the Event
    Viewer matches the last polled Cursor value in the WinCollect
    agent.
    This APAR is intended to alert administrators of this
    operating systems change in Windows 10 Feature Build 2004. All
    WinCollect agents at all versions are affected by the
    EventRecordID reset issue in Windows 10 build 2004.
    Administrators who plan to update the Windows 10 systems to
    feature build 2004 ought to alert their teams to this
    EventRecordID reset issue.
    

Problem conclusion

  • This issue was fixed in WinCollect version 7.3.0 P1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ27857

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-11

  • Closed date

    2020-10-27

  • Last modified date

    2020-10-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
28 October 2020