Release Notes
Abstract
This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent 7.2.3. Questions about this version / upgrade can be discussed in the WinCollect forums.
Content
Quick links
- About WinCollect v7.2.3: Fixed issues list and features
- How to upgrade to WinCollect v7.2.3
- Troubleshooting
- List of RPM files contained in the SFS
**UPDATE**
The issue identified in the WinCollect installer that affects QRadar Console appliances with a high-availability secondaries has been resolved and two new files are available on IBM Fix Central. The APAR (IV82162) related to this issue was added to the resolved issues list below.
About WinCollect v7.2.3: Fixed issues list and features
A new SFS file has been posted to IBM Fix Central for WinCollect Agent version 7.2.3. This update resolves multiple issues reported in the WinCollect 7.2.2-2 release. Questions about this version / upgrade can be discussed in the WinCollect forums here: WinCollect / Windows Event Collection forum.
Number | Description |
---|---|
IV65507 | WINCOLLECT AGENT DOES NOT CLEAN UP ITS OWN LOG FILES. FOR MORE INFORMATION, SEE HOW TO CONFIGURE LOG ROLLOVER FOR WINCOLLECT 7.2.3 UPGRADES |
IV72550 | WINCOLLECT DHCP LOG SOURCES SHOW ERROR STATUS AND STOP COLLECTING DHCP EVENTS |
IV72838 | NEW WINCOLLECT AGENT INSTALLATIONS CONFIGURED FOR MANAGED HOSTS SHUTDOWN PRIOR TO RECEIVING THEIR FIRST CONFIGURATION |
IV74394 | WINCOLLECT FILE FORWARDER CAN SEND EVENTS TO THE INCORRECT LOG SOURCE |
IV82162 | 'UNABLE TO GET AGENT VERSION' ERRORS DURING INSTALLATION OF THE WINCOLLECT 7.2.3 .SFS ON A HIGH AVAILABILITY APPLIANCE |
NEW FEATURE | STAND-ALONE WINCOLLECT AGENT INSTALLS NOW SUPPORT SENDING EVENTS USING TLS SYSLOG. FOR MORE INFORMATION SEE WINCOLLECT 7.2.3 STAND-ALONE RELEASE NOTES. |
How to upgrade to WinCollect v7.2.3
- Log in to the QRadar Console.
- From the Navigation bar, click Help > About.
- Click Additional Information and verify you have the base software and RPM versions installed.
- For QRadar 7.1.x Consoles: 710_QRadar_wincollectupdate-7.1.0.251.sfs
- For QRadar 7.2.x Consoles: 720_QRadar_wincollectupdate-7.2.0.310.sfs
- To avoid access errors in your log file, close all open QRadar sessions.
- Verify that all changes are deployed on your appliances.
- Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
- It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
- The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.
Installation pre-requisites
QRadar Version | Minimum WinCollect Version | RPM Minimum Version |
QRadar 7.1 MR2 Patch 3 or above. | WinCollect 7.2.2-2 | AGENT-WINCOLLECT-7.1-1018604.noarch |
QRadar V7.2.x (any patch level) | WinCollect 7.2.2-2 | AGENT-WINCOLLECT-7.2-1018607.noarch |
Upgrade overview
To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.3.
Step 1 | Step 2 | Step 3 |
Install the proper file on your QRadar Console: | Wait for installs to complete and update the user interface to WinCollect 7.2.3. | See Troubleshooting for any agents that do not update to QRadar 7.2.3. |
Before you begin
WinCollect upgrade procedure
This section outlines how to install WinCollect 7.2.3 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment.
- Download a WinCollect Agent (v7.2.3) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
- QRadar 7.1.x: 710_QRadar_wincollectupdate-7.1.0.251.sfs
- QRadar 7.2.x: 720_QRadar_wincollectupdate-7.2.0.310.sfs
Note: The installation process will restart services on the Console, which will create a gap in event collection until services restart. Administrators should be aware of the service restart so they can schedule their upgrades during a maintenance window.
- Using SSH, log in to your Console as the root user.
- Copy the fix pack to the /tmp directory on the QRadar Console.
Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space. - To create the /media/updates directory, type the following command: mkdir -p /media/updates
- Change to the directory where you copied the patch file. For example, cd /tmp
- To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs 7x0_QRadar_wincollectupdate-7.<version>.sfs /media/updates - To run the patch installer, type the following command: /media/updates/installer
NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:
WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.
Do you wish to continue (Y/N?
- To continue with the update, type Y to continue.
During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.
Note: By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.
- From the command line type: tomcat service restart.
- Log in to the QRadar Console web interface.
- Click the Admin tab.
- Click Advanced > Deploy Full Configuration.
Procedure
Results
After the deploy completes, the installation process will start for remote WinCollect agents as they call in to QRadar appliances to request updates. Administrators should wait for the WinCollect agent to update the remote Windows host as it might take 15-20 minutes for agents to start updating. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update.
Verifying that updates are complete
To verify that agents are updated, administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.3 in the Version column. If after a few hours there are WinCollect agents that still show 7.2.2, administrators can review the troubleshooting section below to force an update on any remaining WinCollect agents stuck at a previous version.
Troubleshooting
WinCollect agents that do not upgrade to version 7.2.3 can use a force update script to complete the install process.
- Before you begin
- Log in to the QRadar user interface as the root user.
- Click the Admin tab.
- From the navigation menu, click Advanced > Deploy Full Configuration.
- Wait for the full deploy to complete.
- Click the WinCollect icon.
- Review the Agent list for any agents at version 7.2.2 and note which QRadar appliance manages this WinCollect agent.
- Download the forceUpgrade.sh script attached to this release note:
SHA1 file sum: cedd68678e54aae27195a610caf852c5f0ff6f03
- Using SCP, copy the forceUpgrade.sh script to the /tmp directory of QRadar Console.
- Optional. If a non-Console appliance manages the WinCollect agent that failed to update, then scp the forceupdate.sh file to the managed host.
For example: scp root@<managedhostIP>:/forceUpgrade.sh /tmp/forceUpgrade.sh
- To set permissions on the file, navigate to the /tmp directory and type: chmod +x forceUpgrade.sh
- To start the script, type: sh forceUpgrade.sh
Results
Wait for the script to force update the remote WinCollect agent. This process typically takes one or two configuration polling intervals to complete, which might be up to 20 minutes. Review the Agent list to verify that the agent is updated to version 7.2.3. There is no success or failure message when running the forceUpgrade.sh script. The purpose of this script is to update all keys for WinCollect agents that are managed by the QRadar appliance. When you run the upgrade script, it removes all agent keys from /store/configservices/wincollect/configserver/<Agent Name> and forces the system to regenerate all of the keys for the deployment as it thinks that they are missing. When the script returns to the command prompt, the script has completed running, however, keys might be still regenerating for QRadar to send to WinCollect agents. As large deployments might take up to 20 minutes to regenerate all keys.
This script requires the administrator to successfully complete a 'Deploy Full Configuration' before the script can be run. A full deploy will restarts services on QRadar appliances, which stops event/flow collection until services are restarted.
Procedure
List of files in the SFS update
Files in 720_QRadar_wincollectupdate-7.2.0.309.sfs
- AGENT-WINCOLLECT-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectConfigServer-7.2-20160127094843.noarch.rpm
- PROTOCOL-WinCollectFileForwarder-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectJuniperSBR-7.2-20151125110009.noarch.rpm
- PROTOCOL-WinCollectMicrosoftDHCP-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIAS-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIIS-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectMicrosoftISA-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectMicrosoftSQL-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectNetAppDataONTAP-7.2-20160105153044.noarch.rpm
- PROTOCOL-WinCollectWindowsEventLog-7.2-20160105153044.noarch.rpm
Files in 710_QRadar_wincollectupdate-7.1.0.250.sfs
- AGENT-WINCOLLECT-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectConfigServer-7.1-20160127102231.noarch.rpm
- PROTOCOL-WinCollectFileForwarder-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectJuniperSBR-7.1-20151125110107.noarch.rpm
- PROTOCOL-WinCollectMicrosoftDHCP-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIAS-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIIS-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectMicrosoftISA-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectMicrosoftSQL-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectNetAppDataONTAP-7.1-20160105153122.noarch.rpm
- PROTOCOL-WinCollectWindowsEventLog-7.1-20160105153122.noarch.rpm
-------
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
- Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads - IBM Fix Central
- IBM Security Support YouTube channel: http://www.youtube.com/user/IBMSecuritySupport
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg27047519