Release Notes
Abstract
This release note outlines the requirements and installation instructions for the WinCollect Standalone Patch Installer and WinCollect Configuration Console.
Content
Quick links
- Fixed issues list and features
- How to upgrade to WinCollect v7.2.3
- Upgrading to WinCollect v7.2.3 using the silent install options
- Upgrading to WinCollect v7.2.3 using the installation wizard
- Troubleshooting
Fixed issues list and features
An updated version of the WinCollect Stand-alone Patch Installer has been posted to IBM Fix Central for WinCollect Agent version 7.2.3. This update resolves multiple issues reported in the WinCollect 7.2.2-2 release and updates stand-alone agents to WinCollect version 7.2.3. Questions about this version / upgrade can be discussed in the WinCollect forums here: WinCollect / Windows Event Collection forum.
Number | Description |
---|---|
IV65507 | WINCOLLECT AGENT DOES NOT CLEAN UP ITS OWN LOG FILES. FOR MORE INFORMATION, SEE HOW TO CONFIGURE LOG ROLLOVER FOR WINCOLLECT 7.2.3 UPGRADES |
IV72550 | WINCOLLECT DHCP LOG SOURCES SHOW ERROR STATUS AND STOP COLLECTING DHCP EVENTS |
IV72838 | NEW WINCOLLECT AGENT INSTALLATIONS CONFIGURED FOR MANAGED HOSTS SHUTDOWN PRIOR TO RECEIVING THEIR FIRST CONFIGURATION |
IV74394 | WINCOLLECT FILE FORWARDER CAN SEND EVENTS TO THE INCORRECT LOG SOURCE |
NEW FEATURE | STAND-ALONE WINCOLLECT AGENT INSTALLS NOW SUPPORT SENDING EVENTS USING TLS SYSLOG |
How to upgrade to WinCollect v7.2.3
- Windows Server 2008 (most recent)
- Windows Server 2012 (most recent)
- Windows 7 (most recent)
- Windows 8 (most recent)
- Windows Vista (most recent)
Note: Windows 10 is not supported at this time as this operating system has not been validated by our QA team. - WinCollect must already be installed in stand-alone mode on the Windows host. The installer is capable of upgrading both 32-bit and 64-bit WinCollect versions.
- .NET framework 3.5 features are required. For information on how to verify .NET installations, see https://www.ibm.com/support/docview.wss?uid=swg21701063
- Microsoft Management Console (MMC) 3.0 and later is required.
Supported software versions
The WinCollect Stand-alone Patch Installer has been validated to install properly on the following Windows software versions:
Installation pre-requisites
Upgrade overview
To upgrade existing stand-alone WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.3.
Step 1 | Step 2 | Step 3 |
Install the Stand-alone Patch Installer on your Windows host using one of the install procedures below: | Wait for the install to complete. For install issues, see the Troubleshooting section. | Verify that Windows event data is being sent from the updated stand-alone WinCollect agents on the QRadar Console. |
Silent installation instructions
Procedure
- Download the WinCollect Stand-alone Patch Installer (.exe) from the IBM Fix Central website:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.0-QRADAR-WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe&includeSupersedes=0&source=fc - Copy the WinCollect Stand-alone Patch Installer to the Windows host.
- Open an command-prompt as an administrator.
Note: To quickly launch the command propmpt as an administrators. Click Start, in the search box type cmd and press CTRL+SHIFT+ENTER.
- Select a silent install option There are two different silent install options based on the components you want to install:
- Full install. To upgrade the WinCollect agent to 7.2.3 and installs the latest WinCollect Configuration Console interface, type: WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe /s /v" /qn"
- To upgrade the WinCollect agent to 7.2.3 only and skip the WinCollect Configuration Console interface install, type:
WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe /s /v" /qn ADDLOCAL=WinCollect_StandAlone_Patch"
Note: If the install fails, there is a known issue with the INSTALLDIR parameter that can cause MSI script 1720 error messages. Administrators can work around this issue and complete the install without using the INSTALLDIR parameter. For more information, see APAR IV76915.
Installation wizard instructions
The following instructions guide administrators through the GUI installation process.
- Download the WinCollect Stand-alone Patch Installer (.exe) from the IBM Fix Central website:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.0-QRADAR-WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe&includeSupersedes=0&source=fc - Copy the WinCollect Stand-alone Patch Installer to the Windows host.
- To install the WinCollect Stand-alone Patch Installer, right-click on the file WinCollect_Standalone_Patch_Installer_Setup-7_2_3_20160204150323.exe and select Run as administrator.
- Click Yes to confirm that you want to upgrade.
- Click I accept the terms in the license agreement to continue the installation.
- Type a User Name and Organization for the installer and click Next.
- Select the features to install and click Next.
- By default, both the WinCollect Patch to upgrade the agent software and the WinCollect Configuration Console are selected to be installed:
- To only install the WinCollect Stand-alone Patch to upgrade your WinCollect agents to 7.2.3, administrators must disable the Configuration Console as shown below:
- Click Install to continue.
- Click Finish to complete the installation.
- Log in to the Windows system hosting the WinCollect agent as the local administrator.
- To open the Run menu, press the Windows logo key + R.
- Type the following: services.msc
- Click OK.
- Locate the WinCollect service and click Stop.
- Navigate to the WinCollect installation directory. For example, C:\Program Files\IBM\WinCollect\config
- Edit the following file: install_config.txt
- Verify that an IP address or host name exists in the STATUSSERVER= field. For example, these are the expected values for an unmanaged install of WinCollect:
ApplicationIdentifier=<computer name or any identifiable value that describes the agent>
ConfigurationServer=<must be left blank for unmanaged mode>
ConfigurationServerPort=8413
StatusServer=<Requires an IP address or hostname>
ApplicationToken=<Can be blank or contain a string of values for the encrypted auth token>
BuildNumber=1018564 <WinCollect version identifier>
- Save any changes made to the install_config.txt file.
- From the Services window, select the WinCollect service and click Start.
- Reinstall the Stand-alone Patch installer from the command-line or use the installation wizard to complete the install.
Any time an administrator has an unmanaged WinCollect install, it is important to have the STATUSSERVER= field populated with an IP address or hostname. The reason for having a status server is that the agent will generate Syslog event messages to inform administrators of WinCollect issues, like service stopped, service started, authorized token issues, and more.
Procedure
Results
The software is installed based on the selected options. If the administrators installed the WinCollect Configuration Console, then they can launch the software from the Start Menu > All Programs > IBM > WinCollect Configuration Console. The administrator can use the WinCollect Configuration Console to edit or configure new log sources for the unmanaged WinCollect agent.
Troubleshooting the installation
Troubleshooting 1: The WinCollect agent is not in stand-alone mode
The existing WinCollect agent must be in stand-alone mode before the installation can begin. If the agent is in managed mode at installation time, the following error is displayed:
Troubleshooting 2: How to display error messages for a silent install
If the silent installer does not complete an install, the administrator can replace the /qn flag with /qb, which will display any installation error messages on screen for the remote Windows host. For example:
WinCollect_Standalone_Patch_Installer_Setup_7_2_2_1018564.exe /s /v" /qb ADDLOCAL=ALL
Troubleshooting 3: My installation displays a 1720 error message
If the installer generates a 1720 error, this issue can be cause by using the INSTALLDIR variable as described in APAR IV76915 or can also be due to the lack of the WinCollect agent not having a Status Server value in the install_config.txt file.
- Important: If the administrator continues to experience installation issues, they can use the guided installer by running the exe file without any special command-line parameters. This launches the user interface installation wizard, which when run as administrator has no known issues.
- Procedure
To set the status server field for the WinCollect agent:
-------
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
- Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads - IBM Fix Central
- IBM Security Support YouTube channel: http://www.youtube.com/user/IBMSecuritySupport
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg27047565