IBM Support

Release of WinCollect Agent 7.2.3

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent 7.2.3. Questions about this version / upgrade can be discussed in the WinCollect forums.

Content

Quick links


**UPDATE**


The issue identified in the WinCollect installer that affects QRadar Console appliances with a high-availability secondaries has been resolved and two new files are available on IBM Fix Central. The APAR (IV82162) related to this issue was added to the resolved issues list below.


About WinCollect v7.2.3: Fixed issues list and features

A new SFS file has been posted to IBM Fix Central for WinCollect Agent version 7.2.3. This update resolves multiple issues reported in the WinCollect 7.2.2-2 release. Questions about this version / upgrade can be discussed in the WinCollect forums here: WinCollect / Windows Event Collection forum.

Issues resolved in WinCollect 7.2.3
Number Description
IV65507WINCOLLECT AGENT DOES NOT CLEAN UP ITS OWN LOG FILES. FOR MORE INFORMATION, SEE HOW TO CONFIGURE LOG ROLLOVER FOR WINCOLLECT 7.2.3 UPGRADES
IV72550WINCOLLECT DHCP LOG SOURCES SHOW ERROR STATUS AND STOP COLLECTING DHCP EVENTS
IV72838NEW WINCOLLECT AGENT INSTALLATIONS CONFIGURED FOR MANAGED HOSTS SHUTDOWN PRIOR TO RECEIVING THEIR FIRST CONFIGURATION
IV74394WINCOLLECT FILE FORWARDER CAN SEND EVENTS TO THE INCORRECT LOG SOURCE
IV82162'UNABLE TO GET AGENT VERSION' ERRORS DURING INSTALLATION OF THE WINCOLLECT 7.2.3 .SFS ON A HIGH AVAILABILITY APPLIANCE
NEW FEATURESTAND-ALONE WINCOLLECT AGENT INSTALLS NOW SUPPORT SENDING EVENTS USING TLS SYSLOG. FOR MORE INFORMATION SEE WINCOLLECT 7.2.3 STAND-ALONE RELEASE NOTES.


How to upgrade to WinCollect v7.2.3


    Installation pre-requisites
    QRadar VersionMinimum WinCollect VersionRPM Minimum Version
    QRadar 7.1 MR2 Patch 3 or above.WinCollect 7.2.2-2AGENT-WINCOLLECT-7.1-1018604.noarch
    QRadar V7.2.x (any patch level)WinCollect 7.2.2-2AGENT-WINCOLLECT-7.2-1018607.noarch
    To verify you meeting the minimum requirements:
    1. Log in to the QRadar Console.
    2. From the Navigation bar, click Help > About.
    3. Click Additional Information and verify you have the base software and RPM versions installed.



    Upgrade overview
    To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.3.

    Step 1Step 2Step 3
    Install the proper file on your QRadar Console:
    Wait for installs to complete and update the user interface to WinCollect 7.2.3. See Troubleshooting for any agents that do not update to QRadar 7.2.3.


    Before you begin

    • To avoid access errors in your log file, close all open QRadar sessions.
    • Verify that all changes are deployed on your appliances.
    • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
    • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
    • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.

WinCollect upgrade procedure

This section outlines how to install WinCollect 7.2.3 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment.


    Procedure
      1. Download a WinCollect Agent (v7.2.3) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
      2. Using SSH, log in to your Console as the root user.
      3. Copy the fix pack to the /tmp directory on the QRadar Console.
        Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
      4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
      5. Change to the directory where you copied the patch file. For example, cd /tmp
      6. To mount the patch file to the /media/updates directory, type the following command:
        mount -o loop -t squashfs 7x0_QRadar_wincollectupdate-7.<version>.sfs /media/updates
      7. To run the patch installer, type the following command: /media/updates/installer

        NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

        WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

        Do you wish to continue (Y/N?


      8. To continue with the update, type Y to continue.

        During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.

        Note: By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.
      9. From the command line type: tomcat service restart.
      10. Log in to the QRadar Console web interface.
      11. Click the Admin tab.
      12. Click Advanced > Deploy Full Configuration.


    Results
    After the deploy completes, the installation process will start for remote WinCollect agents as they call in to QRadar appliances to request updates. Administrators should wait for the WinCollect agent to update the remote Windows host as it might take 15-20 minutes for agents to start updating. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update.


    Verifying that updates are complete
    To verify that agents are updated, administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.3 in the Version column. If after a few hours there are WinCollect agents that still show 7.2.2, administrators can review the troubleshooting section below to force an update on any remaining WinCollect agents stuck at a previous version.



Troubleshooting


WinCollect agents that do not upgrade to version 7.2.3 can use a force update script to complete the install process.
    Before you begin
    This script requires the administrator to successfully complete a 'Deploy Full Configuration' before the script can be run. A full deploy will restarts services on QRadar appliances, which stops event/flow collection until services are restarted.


    Procedure
    1. Log in to the QRadar user interface as the root user.
    2. Click the Admin tab.
    3. From the navigation menu, click Advanced > Deploy Full Configuration.
    4. Wait for the full deploy to complete.
    5. Click the WinCollect icon.
    6. Review the Agent list for any agents at version 7.2.2 and note which QRadar appliance manages this WinCollect agent.
    7. Download the forceUpgrade.sh script attached to this release note:

      forceUpgrade.shforceUpgrade.sh

      SHA1 file sum: cedd68678e54aae27195a610caf852c5f0ff6f03
    8. Using SCP, copy the forceUpgrade.sh script to the /tmp directory of QRadar Console.
    9. Optional. If a non-Console appliance manages the WinCollect agent that failed to update, then scp the forceupdate.sh file to the managed host.

      For example: scp root@<managedhostIP>:/forceUpgrade.sh /tmp/forceUpgrade.sh
    10. To set permissions on the file, navigate to the /tmp directory and type: chmod +x forceUpgrade.sh
    11. To start the script, type: sh forceUpgrade.sh

      Results
      Wait for the script to force update the remote WinCollect agent. This process typically takes one or two configuration polling intervals to complete, which might be up to 20 minutes. Review the Agent list to verify that the agent is updated to version 7.2.3. There is no success or failure message when running the forceUpgrade.sh script. The purpose of this script is to update all keys for WinCollect agents that are managed by the QRadar appliance. When you run the upgrade script, it removes all agent keys from /store/configservices/wincollect/configserver/<Agent Name> and forces the system to regenerate all of the keys for the deployment as it thinks that they are missing. When the script returns to the command prompt, the script has completed running, however, keys might be still regenerating for QRadar to send to WinCollect agents. As large deployments might take up to 20 minutes to regenerate all keys.



List of files in the SFS update

Files in 720_QRadar_wincollectupdate-7.2.0.309.sfs

  • AGENT-WINCOLLECT-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectConfigServer-7.2-20160127094843.noarch.rpm
  • PROTOCOL-WinCollectFileForwarder-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectJuniperSBR-7.2-20151125110009.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDHCP-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIAS-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIIS-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftISA-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftSQL-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectNetAppDataONTAP-7.2-20160105153044.noarch.rpm
  • PROTOCOL-WinCollectWindowsEventLog-7.2-20160105153044.noarch.rpm


Files in 710_QRadar_wincollectupdate-7.1.0.250.sfs
  • AGENT-WINCOLLECT-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectConfigServer-7.1-20160127102231.noarch.rpm
  • PROTOCOL-WinCollectFileForwarder-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectJuniperSBR-7.1-20151125110107.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDHCP-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIAS-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIIS-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftISA-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftSQL-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectNetAppDataONTAP-7.1-20160105153122.noarch.rpm
  • PROTOCOL-WinCollectWindowsEventLog-7.1-20160105153122.noarch.rpm



-------
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27047519