How To
Summary
How do I verify which WinCollect agents are missing associated log sources?
Example Use Case:
A company has more than1500 WinCollect agents deployed and new ones are added every day and old ones removed timely, but a SIEM administrator wants to confirm that all WinCollect agents have associated log sources.
Steps
You can use the WinCollect Health Check script to verify which WinCollect agents are not associated with any log source.
- SSH into the QRadar Console.
- Run the WinCollect Health Check script:
/opt/qradar/support/WinCollectHealthCheck.sh -d
In the provided output, find the section List of log sources for each agent. The list queries the managed hosts and their log sources.
Example output:
WinCollect Deployment Summary WinCollect Versions: id | component_name | module_name | type_name | classificationid | version | protocolid ----+---------------------------+-------------------------+------------+------------------+----------------------+------------ . . .
For agents that have log sources, you see this output:
List of logsources for each agent
Description: Queries the managed host and gets their Logsources.
Querying event log sources for agent @ SERVER-A
Logsource ID | devicename | 60 Second EPS
--------------+------------------------------+---------------
313 | WindowsAuthServer @ SERVER-A | 38
Logsource ID | devicename | 60 Second EPS
--------------+------------------------------+---------------
313 | WindowsAuthServer @ SERVER-A | 38
But for agents that have no log sources associated, you see this output:
Querying event log sources for agent @ SERVER-B
Logsource ID | devicename | 60 Second EPS
--------------+---------------------------+---------------
--------------+---------------------------+---------------
Tip: If you want to output this result to a file, use for example:
/opt/qradar/support/WinCollectHealthCheck.sh -d > /root/wc_output.txt
And then use grep, for example:
grep -A 3 "Querying event log sources for" /root/wc_output.txt
In conclusion, you can find "orphaned" agents by reviewing the output of the script.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS003862080","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
01 April 2022
UID
ibm16253267