IBM Support

How to convert managed WinCollect to Stand-alone for QRadar on Cloud migrations

Troubleshooting


Problem

Administrators who convert from on-premise to QRadar on Cloud (QRoc) must convert all WinCollect agents to stand-alone mode. This procedure outlines how to convert WinCollect agents.

Resolving The Problem

To complete this procedure, you must have administrator access to both QRadar and the Windows host. Administrators can use the following procedure to convert managed WinCollect agents to stand-alone mode for migrations from on-premise to QRadar on Cloud deployments. WinCollect agents in stand-alone mode must send their events to the Data Gateway appliances to be received by QRadar on Cloud.

1. Verify the number of Managed WinCollect hosts and their versions

  1. Log in to the QRadar Console as an administrator.
  2. Click the navigation menu (☰), and then click Admin to open the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the WinCollect icon.
  5. Record the number of WinCollect agents and their version to plan your migration.

2. Convert an agent from Managed to Stand-alone WinCollect

  1. On the WinCollect host, open a text editor such as Notepad as administrative user.
  2. Navigate to the WinCollect installation directory.
    The default installation directory is C:\Program Files\IBM\WinCollect\config
  3. Edit the file install_config.txt
  4. In the ConfigurationServer field, clear the IP or Hostname. For example, ConfigurationServer=
  5. In the StatusServer field, type the Data Gateway IP address. For example, StatusServer=<Data Gateway IP>
  6. Save the changes.
  7. Restart the WinCollect agent service.
  8. To confirm stand-alone mode, review the log files in C:\Program Files\IBM\WinCollect\logs\WinCollect.log
  9. Agents configured for stand-alone mode, display the following message when the service starts:
    01-14 23:27:12.152 INFO  Code.ConnectionFactory : No configuration server was specified in the install parameters; operating in 'stand-alone' mode (configuration updates must be manually applied).
    01-14 3:27:12.152 INFO  System.ComponentFactory : Service ConnectionFactory v7.2.9 initialized
  10. Repeat this procedure for each WinCollect agent you want to configure in stand-alone mode.


     

3. Install the Configuration Console

  1. Verify the WinCollect agent software version installed in Windows™ by using the Control Panel Application. Look for an entry similar to:
    image-20200214110926-1
  2. Download the WinCollect Stand-alone patch installer of the same version. Visit WinCollect 101 for links to download Stand-alone WinCollect.
  3. Before installation, ensure the Windows™ host meets the prerequisites.
    • A supported version or Windows™ or Windows™ Server.
    • Confirm .Net Framework version 3.5 is installed.
    • Confirm Microsoft™ Management Console (MMC) version 3.0 or greater is installed.
    • Confirm that the version of Stand-alone WinCollect matches the installed Agent version or greater.
  4. Run the Stand-alone patch installer as administrator user.

    Note: If your WinCollect host install_config.txt is not configured correctly, a pop-up message is displayed when you install stand-alone WinCollect similar to:
    image-20200207131416-4
  5. Highlight WinCollect Configuration Console application.
    image-20200131101501-10
  6. Click Next.
  7. Click Install.
    Note: The Stand-alone patch installer also updates the Agent to the same version.
     

4. Configure log sources to use the Data Gateway destination

  1. On the Windows™ host, click Start > IBM > WinCollect Configuration Console.
  2. Expand Destinations.
    image-20200214113543-1
  3. Click the Syslog TCP or Syslog UDP destination requiring editing.
  4. Update the Name Field and confirm the Hostname / IP address.

    image-20200131154143-1
  5. Click Actions > Deploy Changes.
  6. Expand Devices to view individual log sources.
  7. Double-click each log source and confirm the destination is configured as the Data Gateway appliance.
  8. Click Add and select the destination for your Data Gateway appliance.
    image-20200206163755-1
  9. Click Deploy Changes to save your configuration changes.

5. Verify your WinCollect host is sending events

  1. Log in to the QRadar Console.
  2. Click Log Activity tab.
  3. Click Add Filter > Parameter: Log Source [Indexed] > Operator: Equals any of > Log Source Filter: Add WinCollect Log sources to the filter list.

    image-20200207130410-1
  4. Click Add Filter
  5. Verify events for your Log Source are displayed.

   

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 September 2022

UID

ibm11285426