IBM Support

QRadar: How to Restore Deleted WinCollect Agents from the User Interface

Troubleshooting


Problem

The WinCollect Agent has stopped sending events and the WinCollect Agent is displaying errors in the logs.

Cause

Anytime an administrator deletes a managed WinCollect agent from the user interface, the software interprets this as an agent that should no longer send events to the QRadar appliance. If the WinCollect agent is deleted from the Admin tab when in managed mode, we attempt to disable the remote WinCollect agent on the Windows host to prevent it from sending events because it has been deleted from the user interface.

Environment

This issue can occur on any WinCollect 7.2.0 installation where a managed agent is deleted in the user interface, but still running on the remote Windows host.

Diagnosing The Problem

If the remote WinCollect agent is being remotely disabled, administrators will see the following errors displayed in WinCollect_System.log. This log file is in C:\Program Files\IBM\WinCollect\logs by default.


YYYY-MM-DD HH:MM:SS,540 WARN System.WinCollectSvc.Service : The configuration server registration succeeded, but we have been deleted on the server side. Exiting.
YYYY-MM-DD HH:MM:SS,540 INFO System.WinCollectSvc.Service : Service::StopServerApp - Stopping application (pid = 10100...)

 

Resolving The Problem

To resolve the issue, an administrators have two options:


Option 1: Manually add the WinCollect agent in the user interface


This procedure requires that you know the value of the ApplicationIdentifier field in C:\Program Files\IBM\WinCollect\config\install_config.txt. Use the value of the ApplicationIdentifier to manually add back in a WinCollect agent that has been deleted from the agent list.

Here is an example of the contents of an install_config.txt file.
ApplicationIdentifier=CA0D0744
ConfigurationServer=172.16.77.35
ConfigurationServerPort=8413
ConfigurationServerMinSSLProtocol=TLSv1
ConfigurationServerMaxSSLProtocol=TLSv1.2
StatusServer=172.16.77.35
ApplicationToken=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
BuildNumber=86

Procedure
  1. Log in to QRadar as an admin user
  2. Click Admin tab > WinCollect icon
  3. Click the WinCollect icon.
  4. Review the Agent list to see whether the WinCollect agent is in the agent list.

    Before a user deleted the agent

    Figure 1: This is a screen capture of the agent list before an agent was deleted.


    After an agent was accidentally deleted

    Figure 2: The screen capture displays a host that was deleted from the user interface.

    NOTE: When you delete an agent, the agent is still remotely active in the network. The QRadar appliance generates error messages and attempts to stop the remote WinCollect service and writes the error message
  5. If the agent is missing click Add to manually add a WinCollect agent.

    Figure 3: The add agent interface includes several blank text boxes that should be filled in.

    Example of how to populate the Configure WinCollect Agent interface
    - In the Name field, type: WinCollect @ {ApplicationIdentifier value}.
    - In the Host name field, type the {ApplicationIdentifier value}.
    - Type a description, such as "WinCollect agent installed on {ApplicationIdentifier value}.
    - In the WinCollect Vision field, type the version.
    - In the OS Version field, type the Microsoft Operating System version.

    Figure 4: An example of how to fill in the blank text fields for manually re-adding an agent.
  6. Click Save.
  7. Wait for the configuration to be received by the remote WinCollect agent. This process typically takes ~5 minutes by default.

    NOTE: To force a configuration update, you can restart the WinCollect Service on the remote Windows host. When the service starts, it will immediately establish communications and request an updated configuration from the QRadar appliance.





    Results
    Verify that the WinCollect agent is added to the user interface. The administrator can also review the logs to determine whether the error message goes away and that you are getting events.

     


Option 2: Force the WinCollect agent to discover as a new host in the user interface

If an administrator wants to force the agent to rediscover in the user interface, they can assign a new name to the ApplicationIdentifier. Any changes to this value and the QRadar appliance will think that here is a new agent that needs to be registered. Any change, such as adding -1 or _new to the application identifier field will allow the agent to rediscover in the user interface.


Procedure
  1. Log in to the Windows host that has the Agent installed as an administrator.
  2. Press Windows key +R, in the command window type: services.msc.
  3. Locate the WinCollect service in the service list.
  4. Click Stop.
  5. In Widows Explorer, navigate to Program Files > IBM > WinCollect > config.
  6. Edit the file install_config.txt.
  7. Provide a new name or update to the field ApplicationIdentifier. For example, any change will allow the system to discover the agent as "new", such as adding -1 after the identifier.
  8. Start the WinCollect Service.
    The configuration server protocol on the QRadar appliance will detect communication from a "new" agent as that name does not exist in the current agent database. The Configuration server will generate keys and configurations for your new WinCollect agent.
  9. Log in to the QRadar Console.
  10. Click the Admin tab.
  11. Click the WinCollect icon.
  12. Verify that the new agent name is displayed in the agent list.

    Results
    Any log sources assigned to the old WinCollect agent will need to be assigned to the new agent. For example, review your log source list for any log sources managed by the agent named IBM738 and edit those log sources to change the WinCollect Agent drop-down to assign the newly added agent (IBM738-1).

     

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2.8;7.3.0"}]

Document Information

Modified date:
28 April 2021

UID

swg21995425