IBM Support

QRadar: How to verify which WinCollect agent has no associated log sources

How To


Summary

How do I verify which WinCollect agents are missing associated log sources?

Example Use Case:
A company has more than1500 WinCollect agents deployed and new ones are added every day and old ones removed timely, but a SIEM administrator wants to confirm that all WinCollect agents have associated log sources.

Steps

You can use the WinCollect Health Check script to verify which WinCollect agents are not associated with any log source.
 
  1. SSH into the QRadar Console.
  2. Run the WinCollect Health Check script:
    /opt/qradar/support/WinCollectHealthCheck.sh -d
In the provided output, find the section List of log sources for each agent. The list queries the managed hosts and their log sources.
Example output:
 
WinCollect Deployment Summary

WinCollect Versions:

 id |      component_name       |       module_name       | type_name  | classificationid |       version        | protocolid
----+---------------------------+-------------------------+------------+------------------+----------------------+------------
.
.
.

For agents that have log sources, you see this output: 
List of logsources for each agent
Description:  Queries the managed host and gets their Logsources.
Querying event log sources for agent @ SERVER-A
 Logsource ID |           devicename         | 60 Second EPS
--------------+------------------------------+---------------
          313 | WindowsAuthServer @ SERVER-A |             38

 
But for agents that have no log sources associated, you see this output:
Querying event log sources for agent @ SERVER-B
 Logsource ID |        devicename         | 60 Second EPS
--------------+---------------------------+---------------

 
Tip: If you want to output this result to a file, use for example:
/opt/qradar/support/WinCollectHealthCheck.sh -d > /root/wc_output.txt
And then use grep, for example:
grep -A 3 "Querying event log sources for" /root/wc_output.txt
In conclusion, you can find "orphaned" agents by reviewing the output of the script.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS003862080","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
01 April 2022

UID

ibm16253267