IBM Support

Collecting logs for QRadar WinCollect agent issues

Question & Answer


How do you collect needed information and logs for WinCollect agent issues?


Administrators who experience issues with WinCollect agents should submit the following information with the support ticket.

Providing a problem description

  1. A description of the issue, Windows operating systems, and any hostnames or IP addresses that are affected.

    • I added 250 log sources by using the log source bulk add feature with WinCollect, and they recently stopped sending events. The last event time is The WinCollect agent name is ____ and the log sources that I want investigated are hostA (, hostB (, hostC (, and hostD ( Here is a screen capture of the log source configuration.
    • I installed a new WinCollect agent on hostnameX using the command-line installer, but it did not work. I tried several more times, but the WinCollect agent does not automatically create my log source. I have attached a text file with the installation command I used, see WC_install.txt.
  2. A compressed file that contains the /config and /logs directory for the WinCollect agent.

    Instructions for collecting the WinCollect /config and /logs directories:
    1. Log in to the Windows operating system that hosts the WinCollect agent.
    2. Click Start > All Programs > Administrative tools > Services.
    3. Select the WinCollect service.
    4. Click Stop.

    5. Click Start > All Programs > Accessories > Windows Explorer.
    6. Navigate to the WinCollect installation directory. The default path is, C:\Program Files\IBM\WinCollect.
    7. To select multiple folders, press Ctrl, and select the config and logs folders.
    8. Right-click on one of the selected folders and select Send to > Compressed (zipped) folder.

    9. Log in to the support portal to make a service request, IBM Security QRadar SIEM.
    10. Click Open a new service request > sign in.
    11. Attach the log file with your description of the issue to the service request ticket.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":""}]

Document Information

Modified date:
16 June 2018