IBM Support

WinCollect: How to resolve registration errors due to authorization token issues



Wincollect agent is unable to register with the configuration console and displays the following authorized token errors in WinCollect.log when an agent is installed, reinstalled, or migrated:
"Unable to register instance because Auth Token is wrong:"
"Unable to register instance: Invalid Auth Token"


Errors similar to the following appear in qradar.log:

Example 1: The authorized service token used at installation time is incorrect.
[ecs-ec] [WinCollectConfigHandler_36] com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.RegisterInstanceProcessor: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]Unable to register instance because Auth Token is wrong:
[ecs-ec] [WinCollectConfigHandler_36]    at
Example 2: This issue from the qradar.log indicates an error in the encrypted authorized service token on the WinCollect agent.
[ecs-ec] [WinCollectConfigHandler_20] com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.RegisterInstanceProcessor: [ERROR] [NOT:0000003000][-/- -] [-/- -]Unable to register instance: Invalid Auth Token (WyMh+1111+111111111111111111111111DQXM2q+CHiRsw98C1111111111111111eOvC3RqyqAfJDySkmX/1Dg1111111111111BLw6Qouw5/tb6111111uxN4D0K61111111111111111111uW4qtnfs11111O71111111111111110A5K6Kk)


The Authorized token for WinCollect is incorrect or does not have the WinCollect role defined in the authorized service token configuration.

Diagnosing The Problem

WinCollect generates a warning event in LEEF format for issues related to WinCollect Agent configurations. Administrators can view status messages sent from the WinCollect in the user interface.
  1. Log in to the QRadar consol as an administrator.
  2. Click the Admin tab.
  3. Click the WinCollect icon.
  4. Select a WinCollect agent from the Agents section.
  5. Click the Show Events button.

    A list of status message events is displayed to the administrator. Review any Warning messages sent to the QRadar appliance and look for "Unable to register instance because Auth Token is wrong:" or "Unable to register instance: Invalid Auth Token".

Resolving The Problem

To resolve the issue the administrator, can locate and re-encrypt the authorized service token on the WinCollect agent.
Note: A reinstallation of the agent also fixes this issue. However the InstallHelper.exe utility can be leveraged to resolve this issue.

These instructions inform administrators how to create an encrypted authorized service token in the install_config.txt file of the WinCollect agent. To complete this procedure, the user must be an admin on the QRadar Console and be a local administrator of the Windows system that hosts the WinCollect agent.

  1. Log in to the QRadar User Interface.
  2. Click on the Admin tab.
  3. Click on Authorized Services

    Figure 1: Location of the Authorized Services button in the user interface.
  4. Click on "+Add" to create a new token. 
    Create Token
  5. Create the token with the following characteristics:
    • No Expiration Date.
    • Admin or WinCollect privileges (User Role).
  6. Save the token. Be careful where you put the token because after the window is closed, the information is not available anymore.
  7. Log in to the Windows host with WinCollect installed.
  8. Type Windows key +R and Press Enter.
  9. Type services.msc.
  10. Locate the WinCollect service from the list and click Stop.
  11. Navigate to the following folder: C:\Program Files\IBM\WinCollect\bin\
    Note: Depending on your installation, your default installation path might differ from Program Files
  12. To update your authorized service token for the WinCollect agent, type:
    InstallHelper.exe -T <application token>
    The installhelper command regenerates install_config.txt file with an encrypted version of the authorized service token.
  13. Start the WinCollect service.

    After the WinCollect service restarts, the encrypted authorized service token will be verified and communication between the WinCollect agent and the QRadar appliance is validated.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
15 May 2023