IBM Support

Release of WinCollect Agent 7.2.4

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent 7.2.4. Questions about this version / upgrade can be discussed in the WinCollect forums.

Content

Quick links


NOTE: Due to an issue with IBM Fix Central, the WinCollect 7.2.4 files might not be available until Tuesday, September 13th.


About WinCollect v7.2.4: Fixed issues list and features

A new SFS file has been posted to IBM Fix Central for WinCollect Agent version 7.2.4. This update resolves multiple issues reported in the WinCollect 7.2.2-2 and 7.2.3 release. Questions about this version / upgrade can be discussed in our new WinCollect forums here: WinCollect / Windows Event Collection forum.

New features and resolved issues in WinCollect 7.2.4
Number Description
NEW FEATUREA NEW 'MANAGED' AND 'STAND ALONE' INSTALLATION OPTIONS ARE AVAILABLE USING THE GUIDED INSTALLER.
NEW FEATURETHE GUIDED INSTALLER NOW PROVIDES A COMMAND LINE INSTALLATION EXAMPLE TO ASSIST WINDOWS ADMINISTRATORS.
NEW FEATURESTAND ALONE MODE INSTALLER SUPPORTS LOG SOURCE AUTOCREATION.
NEW FEATUREADDED TLS SYSLOG SUPPORT FOR TLS V1.0, TLS V1.1, AND TLS V1.2 ON PORT 8413.
NEW FEATURE THE UPDATED INSTALLER PROPERLY CLEANS UP %PROGRAMDATA%\WINCOLLECT FILES TO REMOVE ALL DATA ON DISK WHEN REQUESTED.
NEW FEATUREALL AGENTS NOW SUPPORT LOG ROLLOVER AFTER UPGRADING TO WINCOLLECT 7.2.4.
NEW FEATURE SIMPLIFIED VERSION NUMBERS FOR FILENAMES.
NEW FEATURE LEEF HEARTBEAT MESSAGES CAN NOW CONTAIN CUSTOMIZED VALUES.
NEW FEATUREUPDATED PLUG-IN: NETAPP DATAONTAP FOR V8.3 (.EVTX FILE SUPPORT).
NEW FEATURENEW: MICROSOFT DNS DEBUG DSM. THIS DSM MUST BE DOWNLOADED INDIVIDUALLY FROM IBM FIX CENTRAL.
IV62066WINCOLLECT AGENT IS NOT CLEANING UP PROPERLY AFTER BEING UNINSTALLED
IV62404PARAMETERS FOR WINCOLLECT COMMAND-LINE INSTALLATION FAIL TO SET CORRECTLY
IV67119INSTALLED WINCOLLECT AGENT VERSION NUMBER IN 'PROGRAMS AND FEATURES' MAY BE INCORRECT
IV71375EVENTS FORWARDED BY WINCOLLECT CONTAIN AN EMPTY 'WINCOLLECT MESSAGE=' FIELD
IV73084WINCOLLECT CONFIGURATION CONSOLE SETUP: 'UDP' SYSLOG DESTINATION NAME FIELD DESCRIPTION INCORRECTLY DISPLAYS 'TCP'
IV76915WINCOLLECT STAND ALONE INSTALLER CAN FAIL WITH 'ERROR 1720. A SCRIPT REQUIRED FOR THIS INSTALL TO COMPLETE'
IV83188FILTERING BY EVENT TYPE DOES NOT WORK AS EXPECTED USING WINCOLLECT


Prerequisites for the WinCollect Upgrade


    Installation pre-requisites
    QRadar VersionMinimum WinCollect VersionRPM Minimum Version
    QRadar 7.1 MR2 Patch 3 or above.WinCollect 7.2.2-2AGENT-WINCOLLECT-7.1-1018604.noarch
    QRadar 7.2.x (any patch level)WinCollect 7.2.2-2AGENT-WINCOLLECT-7.2-1018607.noarch
    To verify you meeting the minimum requirements:
    1. Log in to the QRadar Console.
    2. From the Navigation bar, click Help > About.
    3. Click Additional Information and verify you have the base software and RPM versions installed.


    Before you begin

    • To avoid access errors in your log file, close all open QRadar sessions.
    • Verify that all changes are deployed on your appliances.
    • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
    • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
    • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.

WinCollect upgrade procedure

This section outlines how to install WinCollect 7.2.4 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment.

To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.4.

Step 1Step 2
Install the proper file on your QRadar Console. The procedure below outlines in installation procedure for your Console.
Wait for installs to complete and update the user interface to WinCollect 7.2.4.

    Procedure
      1. Download a WinCollect Agent (v7.2.4) bundle (.SFS) from the IBM Fix Central website for your QRadar version:

        Due to an issue with IBM Fix Central, the WinCollect 7.2.4 files might not be available until Tuesday, September 13th.
      2. Using SSH, log in to your Console as the root user.
      3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
      4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
      5. Change to the directory where you copied the patch file. For example, cd /tmp
      6. To mount the patch file to the /media/updates directory, type one of the following commands:
        • For QRadar 7.1 installs: mount -o loop -t squashfs 710_QRadar_wincollectupdate-7.1.0.416.sfs /media/updates
        • For QRadar 7.2 installs: mount -o loop -t squashfs 720_QRadar_wincollectupdate-7.2.0.420.sfs /media/updates
      7. To run the patch installer, type the following command: /media/updates/installer

        NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

        WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

        Do you wish to continue (Y/N?

      8. To continue with the update, type Y to continue.

        During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.

        Note: By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.



    Results
    Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update.


    Verifying that updates are complete
    To verify that agents are updated, administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.4 in the Version column. If after a few hours there are WinCollect agents that still show 7.2.2, administrators can review the troubleshooting section below to force an update on any remaining WinCollect agents stuck at a previous version.



List of files in the SFS update

Files in 720_QRadar_wincollectupdate-7.2.0.420.sfs

  • AGENT-WINCOLLECT-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectConfigServer-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectFileForwarder-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectJuniperSBR-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDHCP-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDNS-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIAS-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIIS-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftISA-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftSQL-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectNetAppDataONTAP-7.2-20160816161824.noarch.rpm
  • PROTOCOL-WinCollectWindowsEventLog-7.2-20160816161824.noarch.rpm


Files in 710_QRadar_wincollectupdate-7.1.0.416.sfs
  • AGENT-WINCOLLECT-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectConfigServer-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectFileForwarder-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectJuniperSBR-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDHCP-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftDNS-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIAS-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftIIS-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftISA-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectMicrosoftSQL-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectNetAppDataONTAP-7.1-20160816162347.noarch.rpm
  • PROTOCOL-WinCollectWindowsEventLog-7.1-20160816162347.noarch.rpm



-------
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27048744

Page Feedback