IBM Support

Release of WinCollect Agent 7.2.6 (Known issue identified)

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent 7.2.6. Questions about this version / upgrade can be discussed in the WinCollect forums.

Content


Quick links






Warning: Known issue identified in WinCollect 7.2.6


An issue has been identified in WinCollect 7.2.6 where remote event collection stops on monitored Microsoft Windows computers after the host is rebooted. Administrators who have installed WinCollect 7.2.6 should update their log source configurations to select the MSEVEN protocol to ensure event collection is uninterrupted. An APAR IV96608 has been opened for administrators to track this issue. A new version of WinCollect will be released to resolve this issue soon.



Before you begin


Before upgrading a QRadar Console 7.2.x, WinCollect must be at version 7.2.2-2 or higher. If the WinCollect version is below 7.2.2-2, install WinCollect 7.2.2-2 first. Make sure that all Windows host agents have updated to WinCollect 7.2.2-2 before proceeding to upgrade to WinCollect 7.2.6. Administrators can verify that the Windows host agents have updated to WinCollect 7.2.2-2 by looking at C:\Program Files\IBM\WinCollect\config\AgentCore.manifest. The Build Number for WinCollect 7.2.2-2 should be 1018564. For more information, review the section Prerequisites for the WinCollect Upgrade.

Due to QRadar 7.1.x being end of engineering, there is no WinCollect 7.1.x SFS file being released to upgrade to WinCollect 7.2.6. Administrators interested in installing WinCollect 7.2.6 must upgrade their QRadar deployment to the QRadar 7.2 software version. No QRadar 7.1.x upgrade files are being offered to upgrade to WinCollect 7.2.6.

Supported Windows operating systems
  • Windows Server 2016
  • Windows Server 2008 (most recent)
  • Windows Server 2008 Core
  • Windows Server 2012 (most recent)
  • Windows Server 2012 Core
  • Windows 7 (most recent)
  • Windows 8 (most recent)
  • Windows 10 (most recent)
  • Windows Vista (most recent)

    NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is beyond the Extended Support End Date the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.


IBM Statement for WinCollect supported versions
Administrators should be aware that supported software versions for IBM WinCollect is the Latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions that QRadar Support will recommend with any support tickets (cases) that are opened. To prevent issues, it is important that administrators keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.



About WinCollect v7.2.6: Known & fixed issues list

A new SFS file has been posted to IBM Fix Central for WinCollect Agent version 7.2.6. This update resolves multiple issues reported in the previous WinCollect release. Questions about this version / upgrade can be discussed in our new WinCollect forums here: WinCollect / Windows Event Collection forum.


Known issues in WinCollect 7.2.6
Number Description
IV96608WARNING: AN ISSUE HAS BEEN IDENTIFIED IN WINCOLLECT 7.2.6 WHERE REMOTE EVENT COLLECTION STOPS ON MONITORED MICROSOFT WINDOWS COMPUTERS AFTER THE HOST IS REBOOTED.

New Features and resolved issues in WinCollect 7.2.6
Number Description
NEW FEATUREADDED TLS PROTOCOL AND CERTIFICATE TO STAND_ALONE INSTALL.
NEW FEATUREADDED ALLOW DASH IN DOMAIN NAME.
NEW FEATUREADDED INCLUSION FILTER TO ALL LOG TYPES.
NEW FEATUREADDED NSA EVENT FILTER TO APPLICATION, SECURITY, SYSTEM AND DNS FILTER TYPES.
IV91737KOREAN LANGUAGE CHARACTERS DO NOT DISPLAY CORRECTLY IN EVENTS THAT ARE GATHERED USING WINCOLLECT FILE FORWARDING
IV92211EVENT PAYLOAD IS TRUNCATED AFTER 'MESSAGE=' FOR WINDOWS EVENT ID 4688 WHEN USING AN XPATH QUERY IN A WINCOLLECT LOG SOURCE
IV96284UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS
IV96364THE WINCOLLECT 7.2.6 .SFS FOR QRADAR 7.3 NEEDS TO BE APPLIED AFTER UPGRADING QRADAR FROM 7.2.8.X TO 7.3.0.X


Prerequisites for the WinCollect Upgrade


    Installation prerequisites
    QRadar VersionMinimum WinCollect VersionRPM Minimum Version
    QRadar 7.3.x (any patch level)WinCollect 7.2.5AGENT-WINCOLLECT-7.3-20161123160813.noarch
    QRadar 7.2.x (any patch level)WinCollect 7.2.2-2AGENT-WINCOLLECT-7.2-1018607.noarch
    To verify you meeting the minimum requirements:
    1. Log in to the QRadar Console.
    2. From the Navigation bar, click Help > About.
    3. Click Additional Information and verify you have the base software and RPM versions installed.


    Before you begin

    • To avoid access errors in your log file, close all open QRadar sessions.
    • Verify that all changes are deployed on your appliances.
    • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
    • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
    • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.


WinCollect upgrade procedure

This section outlines how to install WinCollect 7.2.6 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment.



To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.6.

Step 1Step 2
Install the proper file on your QRadar Console. The procedure below outlines in installation steps for administrators.

For QRadar 7.3.x Consoles: 730_QRadar_wincollectupdate-7.3.0.77.sfs
For QRadar 7.2.x Consoles: 720_QRadar_wincollectupdate-7.2.0.484.sfs

NOTE: Due to QRadar 7.1.x being end of engineering, there is no WinCollect 7.1.x SFS file being released to upgrade to WinCollect 7.2.6. Administrators interested in installing WinCollect 7.2.6 must upgrade their QRadar deployment to the QRadar 7.2 software version. No QRadar 7.1.x upgrade files are being offered to upgrade to WinCollect 7.2.6.
Wait for installs to complete and update the user interface to WinCollect 7.2.6.

    Procedure
    These instructions are intended for standard upgrades of WinCollect. If you are using 'Stand-alone' mode, you must download and install the WinCollect Standalone Patch Installer 7.2.6 for each Windows host to upgrade your agents. The instructions provided below are for managed WinCollect installations.

      1. Download a WinCollect Agent (v7.2.6) bundle (.SFS) from the IBM Fix Central website for your QRadar version for your major version number:
        • For 7.3.x Version Consoles Download 730_QRadar_wincollectupdate-7.3.0.77.sfs
        • For 7.2.x Version Consoles Download 720_QRadar_wincollectupdate-7.2.0.484.sfs
          Note
          : The installation process will restart services on the Console, which will create a gap in event collection until services restart. Administrators should be aware of the service restart so they can schedule their upgrades during a maintenance window.

      2. Using SSH, log in to your Console as the root user.
      3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
      4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
      5. Change to the directory where you copied the patch file. For example, cd /tmp
      6. To mount the patch file to the /media/updates directory, type one of the following commands: mount -o loop -t squashfs ConsoleVersion_QRadar_wincollectupdate-Wincollect_Version.sfs /media/updates
      7. To run the patch installer, type the following command: /media/updates/installer

        NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

        WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

        Do you wish to continue (Y/N?


      8. To continue with the update, type Y to continue.

        During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.

        Note: By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.



    Results
    Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update.


    Verifying that updates are complete
    To verify that agents are updated, administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.6 in the Version column. If after a few hours there are WinCollect agents that still show 7.2.2, administrators can review the troubleshooting section below to force an update on any remaining WinCollect agents stuck at a previous version.

WinCollect RPMs contained in the SFS installer



Files packaged in the 730_QRadar_wincollectupdate-7.3.0.77.sfs bundle

AGENT-WINCOLLECT-7.3-20170512041055.noarch


PROTOCOL-WinCollectConfigServer-7.3-20170512041055.noarch
PROTOCOL-WinCollectJuniperSBR-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftDHCP-7.3-20170512041055.noarch
PROTOCOL-WinCollectFileForwarder-7.3-20170512041055.noarch
PROTOCOL-WinCollectNetAppDataONTAP-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftIIS-7.3-20170512041055.noarch
PROTOCOL-WinCollectWindowsEventLog-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftIAS-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftDNS-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftSQL-7.3-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftISA-7.3-20170512041055.noarch
DSM-WinCollect-7.3-20160908133313.noarch

Files packaged in the 720_QRadar_wincollectupdate-7.2.0.484.sfs bundle

AGENT-WINCOLLECT-7.2-20170512041055.noarch


PROTOCOL-WinCollectNetAppDataONTAP-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftDHCP-7.2-20170512041055.noarch
PROTOCOL-WinCollectJuniperSBR-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftSQL-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftISA-7.2-20170512041055.noarch
PROTOCOL-WinCollectConfigServer-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftIIS-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftIAS-7.2-20170512041055.noarch
PROTOCOL-WinCollectWindowsEventLog-7.2-20170512041055.noarch
PROTOCOL-WinCollectMicrosoftDNS-7.2-20170512041055.noarch
PROTOCOL-WinCollectFileForwarder-7.2-20170512041055.noarch
DSM-WinCollect-7.2-922053.noarch






Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions"}]

Document Information

Modified date:
10 May 2019

UID

swg27049872