IBM Support

WinCollect: How to Change the Port Used to Manage WinCollect Agents

How To


Summary

How do I configure QRadar to use a port other than 8413 to manage WinCollect agents?

Objective

QRadar appliances (Event Collector, Event Processor, Console) use TCP port 8413 (default) to send configuration and software updates to managed WinCollect agents. Some corporate security policies prevent network administrators from using default ports as part of their network obfuscation strategy. If you are required to change the default port used by WinCollect, administrators can edit the WinCollectConfigServer.vm file by changing the value for "Port". The WinCollectConfigServer.vm file contains the settings for the WinCollect Configuration Server protocol used by QRadar to communicate with managed WinCollect agents.

Steps

Before you begin
 
  • Important: If you cannot access to the host where your WinCollect agent is installed, do not begin this procedure. Port values are defined on the WinCollect agent and the QRadar appliance. If you change the port value in the .vm file, you can prevent managed WinCollect agents from receiving log source or software updates until they are updated to use a matching port number. Administrators with 5,000 WinCollect agents deployed must edit the file in C:\Program Files\IBM\WinCollect\config\install_config.txt on every agent to restore managed WinCollect communication.
  • Important: Changes to values other than the Port parameter in the WinCollectConfigServer.vm file can cause catastrophic failures.
  • Upgrade notice: If you upgrade the QRadar Console with a newer version of the WinCollect SFS file, WinCollect defaults to port TCP 8413 for all managed agent communication. You must repeat this procedure to restore WinCollect management communication on your custom port value after you upgrade your WinCollect version.
  • This procedure is intended for administrators who are within their scheduled maintenance time as service restarts are required.
  • Create a backup of the WinCollect configuration file before you make any changes. This procedure includes a copy command for the WinCollectConfigServer.vm file.
  • If you are unsure of any step provided in this technical note, you can contact QRadar Support for assistance.
Procedure
  1.  Using SSH, log in to the Console as the root user.
  2. Navigate to the following directory: /opt/qradar/conf/templates/configservices/pluggablesources/
  3. To create a backup of the WinCollectConfigServer.vm file before you begin, type the following command: cp /opt/qradar/conf/templates/configservices/pluggablesources/WinCollectConfigServer.vm /root/WinCollectConfigServer_old.vm
  4. To edit the file, type the following command: vim WinCollectConfigServer.vm
  5. Press i to edit the file in Insert Mode.
  6. Using the arrow keys, update the Port parameter. 
    For example, TCP 5140 is defined as the custom port parameter: <parameter type="Port">5140</parameter>
  7. Press Esc to exit Insert Mode.
  8. To save the changes, type :wq and press Enter.
  9. Log in to the QRadar user interface as an administrator.
  10. Click the Admin tab and select Advanced > Deploy Full Configuration.
  11. WARNING: Completing a 'Deploy Full Configuration' restarts services on QRadar managed hosts in the deployment. It is recommended that administrators complete full deploys during scheduled maintenance. Depending on your QRadar version, event and flow collection can be temporarily interrupted while services restart.
  12. When prompted, click Continue. After the Deploy Full Configuration completes, the default port value is updated on the QRadar appliances.
  13. Administrators must remote desktop (RDP) to the WinCollect agent.
  14. Press the Windows™ key and R.
  15. In the run bar, type: services.msc.
  16. Stop the WinCollect service.
  17. In any text editor, edit the file C:\Program Files\IBM\WinCollect\config\install_config.txt.
  18. In the ConfigurationServerPort field, type your custom port value. 
    For example, ConfigurationServerPort=5140
  19. Save the changes.
  20. Start the WinCollect service.

    Results
    After the WinCollect service starts, the QRadar appliance and WinCollect agent can communicate on the custom port value.

Default WinCollectConfigServer.vm values


<source objectId="Q1_WinCollectConfigServer" stdout="Processor1" type="Q1_WinCollectConfigServer_Type">
   <parameter type="Enabled">true</parameter>
   <parameter type="Name">$ECConfigBuilder.getEcId()</parameter>
   <parameter type="Port">8413</parameter>
   <parameter type="SSLProtocols">TLSv1 TLSv1.1 TLSv1.2</parameter>
   <parameter type="DisabledCipherSuites"></parameter>
   <parameter type="CoreThreads">50</parameter>
   <parameter type="QueueSize">50</parameter>
   <parameter type="MIAScanEvery">900</parameter>
   <parameter type="DirtyScanEvery">300</parameter>
</source>

Example default install_config.txt 'ConfigurationServerPort' values


ApplicationIdentifier=LAPTOP-EXAMPLE
ConfigurationServer=10.10.10.10
ConfigurationServerPort=8413
ConfigurationServerMinSSLProtocol=TLSv1
ConfigurationServerMaxSSLProtocol=TLSv1.2
StatusServer=10.10.10.10
ApplicationToken=11111111-1111-1111-1111-111111111111
BuildNumber=91

Document Location

Worldwide

Trademark notice: Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
11 January 2021

UID

ibm11116621

Page Feedback