IBM Support

QRadar: WinCollect log source fails to be created automatically after a new installation

Troubleshooting


Problem

A new managed WinCollect agent is installed by using the command line. The command includes options to create the log sources automatically. The agent is installed in the Windows® server, but the log sources are not automatically created in QRadar®.

Resolving The Problem

This article covers three scenarios that could cause log sources to not be automatically created.
 

Scenario 1: No Connection between the agent and the Console:

In order for these log sources to be automatically created in QRadar®, the agent needs to communicate with the Console. The agent sends information to the Console that these log sources should be created and then the Console creates the log source and sends back the message for the agent to create the entry for it. If there is no connection between the agent and the console the log sources are not created. Confirm if the agent is able to register successfully with the Console.
It is important to remember that a managed WinCollect agent needs two ports to communicate with QRadar®, port 514 to send the events, and port 8413 to communicate with the Console. Port 8413 has to be open bi-directionally.

Two of the main reasons why the agent cannot communicate with the Console could be:

  1. Network connectivity issue on port 8413. Refer to the link for more information The configuration server registration failed with response code 0x80000007
  2. Wrong Authentication Token name. Refer to the link for more information on how to Update the Authentication Token.

Scenario 2: External Destination was not created previously or it is not the right one:

To create the log source during installation, you need to add the destination in the command. For the QRadar® instance where the events are sent to, always confirm:
  1. Have a destination previously created in QRadar®.
  2. Use in the command the exact name, because if it does not match, then the log source will not be created, If instead, you use the IP or hostname of the Event Collector where you want to send the events, the log source will not be created.
To find or create a destination in QRadar®.
  1. Click the Admin tab
  2. Click WinCollect
  3. Click Destinations
  4. Click Add or Edit
  5. In Destination Details, ensure the value of the destination name matches the Target Destination in the WinCollect Hostname setup configuration. If you are building the installation command by using the WinCollect setup UI, add the hostname in the Target Destination:
image 7066
On the left side, you can see the WinCollect installation wizard, and on the right, you can see the Destination info in QRadar®.
If the issue was caused by an incorrect Target Destination, you would see an error in /var/log/qradar.error similar to:

You can run the following command: 
grep -i "registration request" /var/log/qradar.error
Example of the error:
Nov  4 17:39:37 ::ffff:10.10.10.1 [tomcat.tomcat] [WinCollect Agent@10.10.10.2 (796) /console/wincollect] com.q1labs.aleremotemanagement.ALEClientController: [ERROR] [NOT:0000003000][10.10.10.1/- -] [-/- -]A WinCollect registration request is requesting creation of a component (Component1) with invalid Destination Id (null) and Destination Name (10.10.10.1) values, ignoring this component
Instead of the destination name, the Event Collector IP  was used and displayed the error "invalid Destination Id (null) and Destination Name (10.10.10.1)", which is not recognized by QRadar®.

Scenario 3: There is already a log source in QRadar® using the log source identifier:

The Log Source Identifier information needs to be added when you specify to create the log source during installation. If for some reason a log source for this log source identifier has already been created, a new log source is not created, and you will see an error similar to:

You can run the following command:
grep -i "registration request" /var/log/qradar.error

Example of the error:
Nov  5 16:22:57 ::ffff:10.10.10.1 [tomcat.tomcat] [WinCollect Agent@10.10.10.2(3156) /console/wincollect] com.q1labs.aleremotemanagement.ALEClientController: [ERROR] [NOT:0000003000][10.10.10.1/- -] [-/- -]A WinCollect registration request is requesting creation of a component (Component1) with Log Source Identifier value (SOMEHOSTNAME) for which there is already a WinCollect Windows log source, ignoring this component.
Here you would need to open the Log Source Management app, find the log source, and check why it has the same log source identifier.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS004384196","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 January 2021

UID

ibm16366851

Page Feedback