IBM Support

Release of the WinCollect Stand-alone Patch Installer v7.2.3

Release Notes


Abstract

This release note outlines the requirements and installation instructions for the WinCollect Standalone Patch Installer and WinCollect Configuration Console.

Content

Quick links



Fixed issues list and features

An updated version of the WinCollect Stand-alone Patch Installer has been posted to IBM Fix Central for WinCollect Agent version 7.2.3. This update resolves multiple issues reported in the WinCollect 7.2.2-2 release and updates stand-alone agents to WinCollect version 7.2.3. Questions about this version / upgrade can be discussed in the WinCollect forums here: WinCollect / Windows Event Collection forum.

Issues resolved in WinCollect 7.2.3
Number Description
IV65507WINCOLLECT AGENT DOES NOT CLEAN UP ITS OWN LOG FILES. FOR MORE INFORMATION, SEE HOW TO CONFIGURE LOG ROLLOVER FOR WINCOLLECT 7.2.3 UPGRADES
IV72550WINCOLLECT DHCP LOG SOURCES SHOW ERROR STATUS AND STOP COLLECTING DHCP EVENTS
IV72838NEW WINCOLLECT AGENT INSTALLATIONS CONFIGURED FOR MANAGED HOSTS SHUTDOWN PRIOR TO RECEIVING THEIR FIRST CONFIGURATION
IV74394WINCOLLECT FILE FORWARDER CAN SEND EVENTS TO THE INCORRECT LOG SOURCE
NEW FEATURESTAND-ALONE WINCOLLECT AGENT INSTALLS NOW SUPPORT SENDING EVENTS USING TLS SYSLOG
Note: It might take up to 24 hours for an APARs to be visible online.





How to upgrade to WinCollect v7.2.3


    Supported software versions
    The WinCollect Stand-alone Patch Installer has been validated to install properly on the following Windows software versions:

      • Windows Server 2008 (most recent)
      • Windows Server 2012 (most recent)
      • Windows 7 (most recent)
      • Windows 8 (most recent)
      • Windows Vista (most recent)

        Note: Windows 10 is not supported at this time as this operating system has not been validated by our QA team.


    Installation pre-requisites

      1. WinCollect must already be installed in stand-alone mode on the Windows host. The installer is capable of upgrading both 32-bit and 64-bit WinCollect versions.
      2. .NET framework 3.5 features are required. For information on how to verify .NET installations, see https://www.ibm.com/support/docview.wss?uid=swg21701063
      3. Microsoft Management Console (MMC) 3.0 and later is required.


    Upgrade overview
    To upgrade existing stand-alone WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.3.

    Step 1Step 2Step 3
    Install the Stand-alone Patch Installer on your Windows host using one of the install procedures below:
    Wait for the install to complete.

    For install issues, see the Troubleshooting section.
    Verify that Windows event data is being sent from the updated stand-alone WinCollect agents on the QRadar Console.



Silent installation instructions

Procedure





Installation wizard instructions

The following instructions guide administrators through the GUI installation process.



    Procedure
      1. Download the WinCollect Stand-alone Patch Installer (.exe) from the IBM Fix Central website:
        http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.0-QRADAR-WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe&includeSupersedes=0&source=fc
      2. Copy the WinCollect Stand-alone Patch Installer to the Windows host.
      3. To install the WinCollect Stand-alone Patch Installer, right-click on the file WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe and select Run as administrator.
      4. Click Yes to confirm that you want to upgrade.

      5. Click I accept the terms in the license agreement to continue the installation.
      6. Type a User Name and Organization for the installer and click Next.
      7. Select the features to install and click Next.
        • By default, both the WinCollect Patch to upgrade the agent software and the WinCollect Configuration Console are selected to be installed:
        • To only install the WinCollect Stand-alone Patch to upgrade your WinCollect agents to 7.2.3, administrators must disable the Configuration Console as shown below:

      8. Click Install to continue.
      9. Click Finish to complete the installation.


      Results
      The software is installed based on the selected options. If the administrators installed the WinCollect Configuration Console, then they can launch the software from the Start Menu > All Programs > IBM > WinCollect Configuration Console. The administrator can use the WinCollect Configuration Console to edit or configure new log sources for the unmanaged WinCollect agent.


    Troubleshooting the installation


    Troubleshooting 1: The WinCollect agent is not in stand-alone mode
    The existing WinCollect agent must be in stand-alone mode before the installation can begin. If the agent is in managed mode at installation time, the following error is displayed:



    Troubleshooting 2: How to display error messages for a silent install
    If the silent installer does not complete an install, the administrator can replace the /qn flag with /qb, which will display any installation error messages on screen for the remote Windows host. For example:
    WinCollect_Standalone_Patch_Installer_Setup_7_2_2_1018564.exe /s /v" /qb ADDLOCAL=ALL


    Troubleshooting 3: My installation displays a 1720 error message
    If the installer generates a 1720 error, this issue can be cause by using the INSTALLDIR variable as described in APAR IV76915 or can also be due to the lack of the WinCollect agent not having a Status Server value in the install_config.txt file.
      Important: If the administrator continues to experience installation issues, they can use the guided installer by running the exe file without any special command-line parameters. This launches the user interface installation wizard, which when run as administrator has no known issues.


      Procedure
      To set the status server field for the WinCollect agent:
      1. Log in to the Windows system hosting the WinCollect agent as the local administrator.
      2. To open the Run menu, press the Windows logo key + R.
      3. Type the following: services.msc
      4. Click OK.
      5. Locate the WinCollect service and click Stop.
      6. Navigate to the WinCollect installation directory. For example, C:\Program Files\IBM\WinCollect\config
      7. Edit the following file: install_config.txt
      8. Verify that an IP address or host name exists in the STATUSSERVER= field. For example, these are the expected values for an unmanaged install of WinCollect:

        ApplicationIdentifier=<computer name or any identifiable value that describes the agent>
        ConfigurationServer=<must be left blank for unmanaged mode>
        ConfigurationServerPort=8413
        StatusServer=<Requires an IP address or hostname>
        ApplicationToken=<Can be blank or contain a string of values for the encrypted auth token>
        BuildNumber=1018564 <WinCollect version identifier>
      9. Save any changes made to the install_config.txt file.
      10. From the Services window, select the WinCollect service and click Start.
      11. Reinstall the Stand-alone Patch installer from the command-line or use the installation wizard to complete the install.

        Any time an administrator has an unmanaged WinCollect install, it is important to have the STATUSSERVER= field populated with an IP address or hostname. The reason for having a status server is that the agent will generate Syslog event messages to inform administrators of WinCollect issues, like service stopped, service started, authorized token issues, and more.







-------
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27047565