IBM Support

QRadar: How to configure log rollover on WinCollect Agents

Troubleshooting


Problem

WinCollect Agents that have been upgraded to version 7.2.3 do not include the fix to enable log rollover, this functionality is only part of new installations. This article describes how to configure log rollover for existing agents.

Cause

Over time, the Windows host might run low on disk space due to the number of WinCollect logs that are kept on the local drive and not cleaned up. WinCollect Agents do not include a default log rollover feature and might fill the disk on the Windows host.

Environment

WinCollect agents at version 7.2.2 or 7.2.3 that need to enable log rollover.

Diagnosing The Problem


How log file rollover is changing by following these instructions
The procedures in this article outline how to update the behavior of log rollover in WinCollect agents that were upgrades to 7.2.3 and existing agents at version 7.2.2. The following table outlines how logs are updated by applying the an updates logconfig.xml file to your WinCollect agent.

Current log name and behaviorUpdated behaviorExample of updated log rollover
WinCollect_System.log

One log file is kept with no limit on file size. 		Multiple log files are now kept with the current log labeled: WinCollect_System_Active.log

When the active log file rolls over, the system renamed the file to WinCollect_System.01 to .05. A total of 5 additional device log files can be kept (100MB) total before the system deletes the oldest log file to preserve space.		WinCollect_System_Active.log (current data)
WinCollect_System.01 (newest log rollover)
WinCollect_System.02 (2nd newest log)
WinCollect_System.03 (3rd newest log)
WinCollect_System.04 (4th newest log)
WinCollect_System.05 (oldest log to be deleted when active reaches 20MB)
WinCollect_Device.log

One log file is kept per day to track connection and log source issues on the local agent. There is no limit to the number of files that can be kept and no file size limit.		Multiple log files are now kept with the current log labeled: WinCollect_Device_Active.log

When the active log file rolls over, the system renamed the file to WinCollect_Device.01 to .05. A total of 5 additional device log files can be kept (100MB) total before the system deletes the oldest log file to preserve space.		WinCollect_Device_Active.log (current data)
WinCollect_Device.01 (newest log rollover)
WinCollect_Device.02 (2nd newest log)
WinCollect_Device.03 (3rd newest log)
WinCollect_Device.04 (4th newest log)
WinCollect_Device.05 (oldest log to be deleted when active reaches 20MB)
WinCollect_Code.log


One log file is kept with no limit on file size.		Multiple log files are now kept with the current log labeled: WinCollect_Code_Active.log

When the active log file rolls over, the system renamed the file to WinCollect_Code.01 to .05. A total of 5 additional device log files can be kept (100MB) total before the system deletes the oldest log file to preserve space.		WinCollect_Code_Active.log (current data)
WinCollect_Code.01 (newest log rollover)
WinCollect_Code.02 (2nd newest log)
WinCollect_Code.03 (3rd newest log)
WinCollect_Code.04 (4th newest log)
WinCollect_Code.05 (oldest log to be deleted when active reaches 20MB)

Resolving The Problem

Part 1: Determining your WinCollect Agent Version (32-bit or 64-bit)
To update your WinCollect agent to include log rollover requires the Windows administrators to download and apply the correct file for the WinCollect agent. There is a 32-bit and 64-bit version of logconfig.xml and the administrator must verify their WinCollect version and download the correct file.


    Procedure
    This section describes how to identify if you have the 32-bit or 64-bit version of WinCollect installed.
    1. Log in to the Windows system that hosts your WinCollect agent.
    2. Navigate to the WinCollect configuration directory.

      For example:
      • 32-bit WinCollect: C:\Program Files (x86)\IBM\WinCollect\logs\
      • 64-bit WinCollect: C:\Program Files\IBM\WinCollect\logs\
      • Custom install directory: E:\WinCollect\

        NOTE: If an administrator uses a custom installation directory, the value= field in the logconfig.xml file must be edited to use your custom install path.

        For example:
        value="C:\Program Files\IBM\WinCollect/logs/WinCollect_Code_Active.log"
        value="C:\Program Files\IBM\WinCollect/logs/WinCollect_Code.%i.log"

        Updated for custom install path:
        value="E:\WinCollect/logs/WinCollect_Code_Active.log"
        value="E:\WinCollect/logs/WinCollect_Code.%i.log"
    3. From the logs directory, open the WinCollect_System.log and review the INFO messages to determine your WinCollect agent version. The version will be printed as a line in the log file.

      For example:
      2015-02-27 15:26:42,083 INFO  System.WindowsAgent.main : ~~~~~~~~~~~~~~ WinCollect Version 7.2.2 64-bit  Running on operating system Windows 7 (Build 7601 SP1) (64-bit architecture, 4 CPU and 3318/8075 MB RAM currently available) ~~~~~~~~~~~~~~
    4. Depending on your WinCollect version, download the proper file and copy the file to the Windows host:

      Table 1: Replacement logconfig.xml to enable log rollover
      5. WinCollect versionFile download
      32-bit WinCollectlogconfig.xml
      64-bit WinCollect logconfig.xml

      IMPORTANT: These files are identical, except for the fact that the paths in the files reference either Program Files or Program Files (x86). The administrator must download the proper file for their Windows version as identified in the WinCollect_System.log. If you are using a custom installation path, you must edit the value= fields to point to your WinCollect log files.

Part 2: Installing logconfig.xml on your Windows host
This procedure outlines how to install an updated logconfig.xml on your WinCollect agent to enable log rollover.


    Procedure
    1. Log in to the Windows system hosting the WinCollect agent.
    2. Click Start and in the search box, type services.msc and press ENTER.
    3. Locate the WinCollect service and click Stop.
    4. Navigate to the WinCollect configuration directory.

      For example:
      • 32-bit WinCollect: C:\Program Files (x86)\IBM\WinCollect\config\
      • 64-bit WinCollect: C:\Program Files\IBM\WinCollect\config\
      • Custom install directory: <Install Path>\WinCollect\config\
    5. Rename the existing logconfig.xml file to logconfig_old.xml or move it to a different directory.
    6. Copy the downloaded logconfig.xml file to the WinCollect\config\ directory.
    7. Navigate to the WinCollect\logs\ directory.
    8. Take one of the following actions for your existing log files:
      1. Copy the log files in to a new folder and move the folder outside of the WinCollect\logs\ directory.
      2. Delete all of the old log files from this directory. Any logs required by WinCollect will be recreated when the service restarts.

        NOTE: Any existing log files are not cleaned up with the new file and any required logs will be created when the WinCollect agent starts.
    9. From the WinCollect service window, locate the WinCollect service and click Start.

      Results
      The WinCollect agent will rollover logs by each type when they reach a specific size on the Windows host.

    ------
    Where do you find more information?


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.2;Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21975273

Page Feedback