IBM Support

QRadar: Managed WinCollect agent fails to get configuration updates with error: msg=Register with configuration server failed -- The authentication information presented to the server was rejected -- will try again later

Troubleshooting


Problem

Changes made to the configuration of the managed WinCollect agent and its log sources are not being applied to the configuration of the agent installed on the Windows computer.
 
 

Symptom

The managed WinCollect Agent fails to get configuration updates. It fails with the error message: msg=Register with configuration server failed -- The authentication information presented to the server was rejected -- will try again later

Cause

The relationship between the public key of the QRadar® managed host being used as the managed WinCollect agent's configuration server and public key used to secure the configuration traffic to and from the managed WinCollect agent is no longer valid.

Environment

QRadar® Versions: ALL
WinCollect Versions: ALL

Diagnosing The Problem

QRadar® managed host being used as the managed WinCollect agent's configuration server:
  1. Open a remote desktop connection to the WinCollect Agent reporting the error message.
  2. On the Windows host, navigate to the WinCollect configuration folder. By default, the folder path is: C:\ProgramFiles\IBM\WinCollect\config
  3. Open the install_config.txt file in Notepad.
  4. The value of the "ConfigurationServer=" parameter is the QRadar® managed host being used as the managed WinCollect agent's configuration server.
On the QRadar® managed host being used as the managed WinCollect agent's configuration server run the following tcpdump command:
tcpdump -nAs0 -vv -i any port 514 and host <AgentIP>
Note: The <AgentIP> is the IP address of the managed WinCollect agent that is reporting the error message.

You should see an error message similar to:
<13>Jan 26 11:45:29 XXXXXXXXX LEEF:1.0|IBM|WinCollect|7.3.0.41|3|src=XXXXXXXXX   os=Windows Server 2012 R2
(Build 9600 64-bit)   dst=XXXXXXXXX sev=4log=SRV.System.WinCollectSvc.Service msg=Register with configuration server
failed -- The authentication information presented to the server was rejected -- will try again later
You can now look in the /var/log/qradar.error log file using the following command:
grep -i wincollect /var/log/qradar.error | less
You will see an error message similar to:
Jan 26 12:26:43 ::ffff:X.X.X.X [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_16]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: 
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]Agent <AgentName>(X.X.X.X) public key doesn't match the stored key,
closing connection.

Resolving The Problem

IMPORTANT: Before doing any changes we recommend backing up any file, you modify by copying the original file to /store/IBM_Support by using the command:
Note: If you have not created the /store/IBM_Support location this command will create the location when run.
 
cp -p <filename> /store/IBM_Support
  1. SSH into the QRadar® CLI as the root user.
    Note: Where <AgentName> should be the name of the managed WinCollect agent as it appears in the Host Name field of the QRadar® WinCollect UI. This is also the value of the "ApplicationIdentifier=" parameter in the install_config.txt file in managed WinCollect agent's configuration folder on the Windows host.
  2. Locate the managed WinCollect agent's entry in the DB and make note of the managed WinCollect agent's ID:
    psql -U qradar -c "select * from ale_client where hostname like '%<AgentName>%';"
    The output of the command will be similar to:
     id |               name               |                  description                  |      hostname       |       version        |                 os_version                 |     last_heartbeat      | status | deployed | enabled | deleted | dirty | config_generation_timestamp | autodiscovered | logsourceid | agent_communication_enabled |                                                                                                                           public_key                                                                                                                            
    ----+----------------------------------+-----------------------------------------------+---------------------+----------------------+--------------------------------------------+-------------------------+--------+----------+---------+---------+-------+-----------------------------+----------------+-------------+-----------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
      6 | WinCollect @ XXXXXXXXX     | WinCollect agent installed on XXXXXXXXX | XXXXXXXXX     | 7.3.0.41             | Windows Server 2012 R2 (Build 9600 64-bit) | 2021-01-26 10:43:26.319 |      4 | t        | t       | f       | f     | 2021-01-25 10:26:18.297     | t              |        1062 | t                           | Z6rdbSww6UVtgExcf8HPfPHg43HZFcpiogiY7P5kAU4hu62C0ud8ILJQ34crksknQCfh1H6AF9tZLmnSFZZjOOqKKXPeOuM6wCFsweWmPmcpaqFZbLLGHPaIxkqNp73O5ZK4ZvPSraJx9Hcg2iwaG5tdFPuvQzN9g8UIqTU8tpGKFpS1HHnqLcCrPMFxd6n4ql4dTL3nNKAExxY065XO41jOohLh6gQrZpNegUPJPjfzF9KrmwadkUAQhr0aAud
    If your output has more than one managed WinCollect agent listed, determine which entry is the correct one for your managed WinCollect agent and make note of the value in the "id" column.
  3. Clear the invalid public key from the managed WinCollect agent's QRadar® DB entry:
    psql -U qradar -c "UPDATE ale_client SET public_key = '' where id = '<AgentID#>';"
    Using the output from Step 2 as an example you would use the command:
    psql -U qradar -c "UPDATE ale_client SET public_key = '' where id = '6';"
  4. SSH to the QRadar® managed host being used as the managed WinCollect agent's configuration server.
  5. Rename the managed WinCollect agent's private key file in the managed WinCollect agent's configserver folder:
    mv /store/configservices/wincollect/configserver/<AgentName>/<AgentName>.key /store/configservices/wincollect/configserver/<AgentName>/<AgentName>.key.old
  6. Exit to the console
    Note:  Restarting services  results in event processing stopping until services restart. Scheduled reports that are in-progress will need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
  7. Restart the event collection services on all managed hosts:
    In the QRadar® UI, See Restarting the event collection service.
    or
    Run the following command from the QRadar® console CLI:

    /opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ec-ingress"
    
    Note: Restarting the event collection services is required to complete the fix.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 January 2021

UID

ibm16404678