IBM Support

Release of WinCollect Agent V7.2.9 patch 3

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM WinCollect Agent V7.2.9 P3.

Content

Quick links

 

Known issue identified in WinCollect V7.2.9 P3

The WinCollect 7.2.9 Patch 3 installation can fail unexpectedly due to the minimum upgrade version check (APAR IJ24355).

About WinCollect V7.2.9 P3

This release updates the IBM QRadar WinCollect Agent to display the build number so that you can easily determine which WinCollect agents are updated. Ask questions about this version or the upgrade to this version in our new WinCollect forums (WinCollect forum).

Resolved issues
  • Fixed an issue that prevented the WinCollect installer to run in an HA environment (APAR IJ24260).
  • Fixed an issue where the Originating Computer field displayed incorrect values  (APAR IJ23726).
  • Fixed an issue with Microsoft DHCP where the agent competed with Microsoft for file access (APAR IJ24021).
  • Fixed an issue in Microsoft IIS with High Event Rate Polling interval.
  • Fixed an issue with WinCollect Agents not receiving configuration updates with "Encrypt Host Connections" enabled in QRadar Settings (APAR IJ15297).
  • Several fixes to the Log Source Management App and WinCollect Log Sources (APAR IJ20462).
  • WinCollect agent will now report Windows Server 2019 instead of Server 2016 in the WinCollect status messages.
Supported Windows operating systems
  • Windows Server 2019 (including Core)
  • Windows Server 2016 (including Core)
  • Windows Server 2012 (including Core)
  • Windows Server 2008 (including Core)
  • Windows 7 (most recent)
  • Windows 8 (most recent)
  • Windows 10 (most recent)

    NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Support by Microsoft. After software is used beyond the Extended Support End Date, the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.

IBM Statement for WinCollect supported versions
Supported software versions for IBM WinCollect is the latest version (n) and latest minus one (n-1). Therefore, the two newest versions of WinCollect are the versions that QRadar support suggests with any support tickets (cases) that are opened. To prevent issues, it is important that you, as an administrator, keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.


 

Prerequisites for the WinCollect V7.2.9 P3 upgrade

Installation prerequisites
This table is for managed WinCollect agents that receive updates from a QRadar appliance. Stand-alone WinCollect agents can be updated by using the Wincollect Standalone patch installer file to update the agents on Windows host (see links below).

Console's WinCollect version Upgrades to WinCollect V7.2.9 Special instructions
WinCollect V7.2.2 No, requires the WinCollect 7.2.2-2 SFS file to be installed first.
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-1 No, requires the WinCollect 7.2.2-2 SFS file to be installed first.
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-2 Yes Upgrade to WinCollect V7.2.9 P3. See APAR IV99280.
WinCollect V7.2.3 Yes Upgrade to WinCollect V7.2.9 P3. See APAR IV99280.
WinCollect V7.2.4 Yes Upgrade to WinCollect V7.2.9 P3. See APAR IV99280.
WinCollect V7.2.5 Yes Upgrade to WinCollect V7.2.9 P3.
WinCollect V7.2.6 Yes Upgrade to WinCollect V7.2.9 P3.
WinCollect V7.2.7 Yes Upgrade to WinCollect V7.2.9 P3.
WinCollect V7.2.8 Yes Upgrade to WinCollect V7.2.9 P3.
WinCollect V7.2.9 Yes Upgrade to WinCollect V7.2.9 P3.

Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.


QRadar version prerequisites
WinCollect V7.2.9 P3 supports QRadar V7.3.0, or later. WinCollect V7.2.5 is the minimum version required to upgrade to QRadar V7.3.x (any patch level).

Tip: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
 

Before you begin
To upgrade existing WinCollect agents, you must be an administrator.

Follow these guidelines:

  • To avoid access errors in your log file, close all open QRadar sessions.
  • Verify that all changes are deployed on your appliances.
  • Ensure that you schedule maintenance time appropriately.
    Installing the SFS file forces Tomcat to restart on the QRadar Console, which logs out QRadar users and stops any reports that are running in the background.
  • To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
  • Install the WinCollect Agent SFS file only on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed host will result in an error message.

WinCollect upgrade procedure


Install WinCollect V7.2.9 P3 only on the QRadar Console. The Console appliance replicates all required files to other QRadar appliances in the deployment.  The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect V7.2.9 P3.

Note: If you are using stand-alone mode, you must download and install the WinCollect Patch Installer V7.2.9 P3 for each Windows host and install the update locally on each agent.
WinCollect Patch Installer V7.2.9 P3 Links:

WinCollect Agent update links:

For more information about stand-alone mode, see the WinCollect Knowledge Center.

Procedure
These instructions are intended for standard (managed) upgrades of WinCollect. 

  1. Download a WinCollect Agent (V7.2.9.P3) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
  2. Use SSH to log in to your Console as the root user. 
  3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as /root or /storetmp for QRadar V7.3.0 Consoles.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp
  6. To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs <patch file sfs name>.sfs /media/updates
  7. To run the patch installer, type the following command: /media/updates/installer

    Note: To proceed with the WinCollect Agent update you must restart services on QRadar to apply protocol updates. The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N)?

     
  8. Type Y to continue with the update.

    During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the installer again, the patch installation resumes. After the installation is complete, services are restarted, and the user interface is available.

    WARNING: Patch 144249 includes a new version of the WinCollect Configuration Server. If you do not restart the event collection service, agents cannot get new configurations and code updates.

  9. In the QRadar admin settings, click Advanced > Deploy Full Configuration.
  10. If you are using QRadar v7.3.1 or later, click Advanced > Restart Event Collection Services.
  11. To unmount the SFS file from the Console, type the following command: umount /media/updates
  12. (Optional) If you selected the second option in Step 9, select Advanced > Restart Web Server on the Admin tab.

Results
Wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates take a few minutes. However, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 10 minutes when the WinCollect agent has the Enable Automatic Updates option set to true.

You can log in to QRadar and review the agent list to verify that agents with enabled updates display 7.2.9.96 in the Version column. After one hour has passed, you can review whether any WinCollect agents still show older agent versions in QRadar.

QRadar V7.3 RPMs contained in the WinCollect SFS installer

When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed.

  • PROTOCOL-WinCollectConfigServer-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftDHCP-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectWindowsEventLog-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftExchange-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectJuniperSBR-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectFileForwarder-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectNetAppDataONTAP-7.3-20200414132329.noarch

  • AGENT-WINCOLLECT-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftDNS-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftIIS-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftISA-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftSQL-7.3-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftIAS-7.3-20200414132329.noarch

QRadar V7.4 RPMs contained in the WinCollect SFS installer

When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed.

  • PROTOCOL-WinCollectMicrosoftDNS-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectConfigServer-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftIIS-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectNetAppDataONTAP-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftISA-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftExchange-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftDHCP-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectWindowsEventLog-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectJuniperSBR-7.4-20200414132329.noarch

  • AGENT-WINCOLLECT-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftSQL-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectFileForwarder-7.4-20200414132329.noarch

  • PROTOCOL-WinCollectMicrosoftIAS-7.4-20200414132329.noarch

This information is for reference only. Don't install these RPMs themselves; instead contact QRadar Support for any installation issues.

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3, 7.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 September 2020

UID

ibm16129345