IBM Support

WinCollect: How to Resolve Registration Issues Due to Authorization Token Issues



Authorized token error is showing in the logs


WinCollect generates a warning event in LEEF format for issues related to WinCollect Agent configurations. Administrators can view status messages sent from the WinCollect in the user interface.

  1. Log in as an administrator.
  2. Click the Admin tab.
  3. Click the WinCollect icon.
  4. Select a WinCollect agent.
  5. Click the Show Events button.

    A list of status message events is displayed to the administrator. Review any Warning messages sent to the QRadar appliance.

Alternately, administrators can also review qradar.log to see if the following errors are displayed:

    Example 1: The authorized service token used at installation time is incorrect.
    Aug 29 16:29:56 X.X.X.X [ecs-ec] [WinCollectConfigHandler_36] com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.RegisterInstanceProcessor: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]
    Unable to register instance because Auth Token is wrong:
    Aug 29 16:29:56 X.X.X.X [ecs-ec] [WinCollectConfigHandler_36]    at

    Example 2: This issue from the qradar.log indicates an error in the encrypted authorized service token on the WinCollect agent.
    Feb 20 15:46:52 ::ffff: [ecs-ec] [WinCollectConfigHandler_20] com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.RegisterInstanceProcessor: [ERROR] [NOT:0000003000][ -] [-/- -]Unable to register instance: Invalid Auth Token (WyMh+1111+111111111111111111111111DQXM2q+CHiRsw98C1111111111111111eOvC3RqyqAfJDySkmX/1Dg1111111111111BLw6Qouw5/tb6111111uxN4D0K61111111111111111111uW4qtnfs11111O71111111111111110A5K6Kk)


The Authorized token for WinCollect is incorrect or does not have the WinCollect role defined in the authorized service token configuration.

Resolving The Problem

To resolve the issue the administrator can locate and re-encrypt the authorized service token on the WinCollect agent. A reinstallation of the agent would also fix this issue; however, the InstallHelper.exe utility can be leveraged to resolve this issue.

This instruction informs administrators how to verify and re-create an encrypted authorized service token in the install_config.txt file of the WinCollect agent. To complete this procedure, the user must be an admin on the QRadar Console and be a local administrator of the Windows system hosting the WinCollect agent.

    1. Log in to the QRadar User Interface.
    2. Click on the Admin tab.
    3. Click on Authorized Services

      Figure 1: Location of the Authorized Services button in the user interface.
    4. Review the authorized service token and verify that the expiration date has not lapsed.

      Figure 2: Locate the Authorized Service token for WinCollect.
    5. Select the Authorization Service token value for the WinCollect agent.
    6. Copy the value to notepad or carefully write down the service token.
    7. Log in to the Windows host with WinCollect installed.
    8. Type Windows key +R and Press Enter.
    9. Type services.msc.
    10. Locate the WinCollect service from the list and click Stop.
    11. Navigate to the following folder: C:\Program Files\IBM\WinCollect\bin\ 

      Note: Depending on your installation, your default install path might differ from Program Files
    12. To update your authorized service token for the WinCollect agent, type:
      InstallHelper.exe -T <application token>
      The installhelper command regenerates install_config.txt file with an encrypted version of the authorized service token.
    13. Start the WinCollect service.

      After the WinCollect service restarts, the encrypted authorized service token will be verified and communication between the WinCollect agent and the QRadar appliance is validated.

      Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019