IBM Support

WinCollect: Managed WinCollect agent fails to get configuration updates with error: Register with configuration server failed -- The authentication information presented to the server was rejected -- will try again later

Troubleshooting


Problem

Changes made to the configuration of the managed WinCollect agent and its log sources are not being applied to the configuration of the agent installed on the Windows computer.
 
 

Symptom

The managed WinCollect Agent fails to get configuration updates. It fails with the error message:
Register with configuration server failed -- The authentication information presented to the server was rejected -- will try again later

Cause

The relationship between the public key of the QRadar® managed host being used as the managed WinCollect agent's configuration server and public key used to secure the configuration traffic to and from the managed WinCollect agent is no longer valid.

Environment

QRadar® Versions: ALL
WinCollect Versions: ALL

Diagnosing The Problem

The WinCollect agents send their internal events to QRadar, QRadar creates a log source for each WinCollect agent. These log sources start their name with WinCollect @ WinCollect_Name or WinCollect DSM @ WinCollect_Name.
In Log Activity, search for the log source with the internal events for the WinCollect agent affected, the following event is received constantly:
<13>Jan 26 11:45:29 XXXXXXXXX LEEF:1.0|IBM|WinCollect|7.3.0.41|3|src=XXXXXXXXX   os=Windows Server 2012 R2
(Build 9600 64-bit)   dst=XXXXXXXXX sev=4log=SRV.System.WinCollectSvc.Service msg=Register with configuration server
failed -- The authentication information presented to the server was rejected -- will try again later
Also, you can look in the /var/log/qradar.error log file using the following command. Replace <wincollect_name> with the WinCollect agent name:
grep -i <wincollect_name> /var/log/qradar.error | less
Error for public keys not matching is seen:
Jan 26 12:26:43 ::ffff:X.X.X.X [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_16]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: 
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]Agent <AgentName>(X.X.X.X) public key doesn't match the stored key,
closing connection.

Resolving The Problem

Note: The following steps require SQL knowledge, read first the steps and in case you have any doubt, contact QRadar Support.
 
  1. SSH into the QRadar® CLI as the root user.
  2. Run the following command to create a backup folder in case it does exist:
    mkdir -p /store/IBM_Support
  3. Run the following command to create a backup for the ale_client table:
    pg_dump -U qradar -t ale_client > /store/IBM_Suppor/ale_client.sql
  4. Confirm what is the WinCollect agent name. The WinCollect agent name appears in the Host Name field of the QRadar® WinCollect UI. This is also the value of the "ApplicationIdentifier=" parameter in the \Program Files\IBM\Wincollect\config\install_config.txt file on the Windows host.
  5. Locate the managed WinCollect agent's entry in the DB and make note of the managed WinCollect agent's ID.
    Replace <AgentName> with the WinCollect agent name.
    psql -U qradar -c "select id,name,hostname,deleted from ale_client where hostname like '%<AgentName>%';"
    Output example, take note of the id, in this case is 6:
     id |               name               |      hostname       | deleted 
    ----+----------------------------------+---------------------+---------
      6 | WinCollect @ XXXXXXXXX           |  XXXXXXXXX          | f
    Note: If your output has more than one managed WinCollect agent listed, choose the one with the deleted value set to f.
  6. Run the following command to clear the invalid public key from the managed WinCollect agent's QRadar® DB entry. Replace <AgentID#> with the id:
    psql -U qradar -c "UPDATE ale_client SET public_key = '' where id = '<AgentID#>';"
    Command example:
    psql -U qradar -c "UPDATE ale_client SET public_key = '' where id = '6';"
    The output says UPDATE 1.
  7. SSH to the QRadar® managed host being used as the managed WinCollect agent's configuration server.
  8. Rename the managed WinCollect agent's private key file in the managed WinCollect agent's configserver folder:
    mv /store/configservices/wincollect/configserver/<AgentName>/<AgentName>.key /store/configservices/wincollect/configserver/<AgentName>/<AgentName>.key.old
  9. Move back to the console.
  10. Restart the event collection services on all managed hosts:
    Note:  Restarting services results in event processing stopping until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
    In the QRadar® UI, See Restarting the event collection service.
    Or
    Run the following command from the QRadar® console CLI:

    /opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ec-ingress"
    


    Result
    The managed WinCollect agent is able to register with QRadar without any issue.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
27 November 2023

UID

ibm16404678