IBM Support

Release of WinCollect Agent V7.3.1 patch 1

Release Notes


Abstract

This release note contains upgrade instructions, new features and improvements, and resolved issues in IBM® WinCollect Agent V7.3.1 p1.

Content

Quick links

Known issues identified in WinCollect V7.3.1 p1

WinCollect 7.3.1 p1 contains the following known issue:

  • Using the agent installer to upgrade an agent that is installed on an second drive (Non C:\) overwrites the AgentConfig.xml file - APAR IJ32255

About WinCollect V7.3.1 p1

WinCollect 7.3.1 p1 contains only the fixes listed below. No new features have been added.

This release updates the IBM® QRadar® WinCollect Agent to display the build number so that you can easily determine which WinCollect agents are updated. Ask questions about this version or the upgrade to this version in our new WinCollect forums (WinCollect forum).

Resolved issues
  • Fixed an issue where the WinCollect configuration server may shut down the agent service when the connection between Console and Managed Host drops over port 443 - see APAR IJ35040
  • Fixed an issue with the communication between QRadar and the WinCollect configuration server when using a custom certificate - see APAR IJ33115
 
Supported Windows® operating systems
 
  • Windows® Server 2019 (including Core)
  • Windows® Server 2016 (including Core)
  • Windows® Server 2012 (including Core)
  • Windows® 10 (most recent)
  • Windows® 8.1

    NOTE: WinCollect is not supported on versions of Windows® that moved to End Of Support by Microsoft®. After software is used beyond the Extended Support End Date, the product might still function as expected; however, IBM® does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.

IBM® Statement for WinCollect supported versions
Supported software versions for IBM® WinCollect are the latest version (n) and latest minus one (n-1). Therefore, the two newest versions of WinCollect are the versions that QRadar® support suggests with any support tickets (cases) that are opened. To prevent issues, it is important that you, as an administrator, keep WinCollect deployments updated when new versions are posted to IBM® Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.
 

Prerequisites for the WinCollect V7.3.1 p1 upgrade

Installation prerequisites
This table is for managed WinCollect agents that receive updates from a QRadar® appliance. Stand-alone WinCollect agents can be updated by using the WinCollect Standalone patch installer file to update the agents on Windows® host (see following links).

Console's WinCollect version Upgrades to WinCollect V7.3.1 p1 Special instructions
WinCollect V7.2.2 No, requires the WinCollect 7.2.2-2 SFS file to be installed first.
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-1 No, requires the WinCollect 7.2.2-2 SFS file to be installed first.
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
WinCollect V7.2.2-2 Yes Upgrade to WinCollect V7.3.1 p1. See APAR IV99280.
WinCollect V7.2.3 Yes Upgrade to WinCollect V7.3.1 p1. See APAR IV99280.
WinCollect V7.2.4 Yes Upgrade to WinCollect V7.3.1 p1. See APAR IV99280.
WinCollect V7.2.5 Yes Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.2.6 Yes Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.2.7 Yes Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.2.8 Yes Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.2.9 Yes
Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.3.0 Yes
Upgrade to WinCollect V7.3.1 p1.
WinCollect V7.3.1 Yes Upgrade to WinCollect V7.3.1 p1.

Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.


QRadar® version prerequisites
WinCollect V7.3.1 p1 supports QRadar® V7.3.3 or later. WinCollect V7.2.5 is the minimum version required to upgrade to QRadar® V7.3.x (any patch level).

Tip: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
 

Before you begin
To upgrade existing WinCollect agents, you must be an administrator.

Follow these guidelines:

  • To avoid access errors in your log file, close all open QRadar® sessions.
  • Verify that all changes are deployed on your appliances.
  • Ensure that you schedule adequate maintenance time.
    Installing the SFS file forces Tomcat to restart on the QRadar® Console, which logs out QRadar® users and stops any reports that are running in the background.
  • To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
  • Install the WinCollect Agent SFS file only on the QRadar® Console appliance. Installing the WinCollect Agent update SFS on a managed host results in an error message.

WinCollect upgrade procedure


Install WinCollect V7.3.1 p1 only on the QRadar® Console. The console appliance replicates all required files to other QRadar® appliances in the deployment.  The SFS contains protocol updates and WinCollect Agent software to remotely update Windows® hosts with WinCollect V7.3.1 p1.

Note: If you are using stand-alone mode, you must download and install the WinCollect Patch Installer V7.3.1 p1 for each Windows® host and install the update locally on each agent.
WinCollect Patch Installer V7.3.1 p1 Links:

WinCollect Agent update links:

For more information about stand-alone mode, see IBM Documentation.

Procedure
These instructions are intended for standard (managed) upgrades of WinCollect. 

  1. Download a WinCollect Agent (V7.3.1) bundle (.SFS) from the IBM® Fix Central website for your QRadar® version:
  2. Use SSH to log in to your Console as the root user. 
  3. For initial installations, create the /storetmp and /media/updates directories if they do not exist. Type the following commands:
    mkdir /media/updates
    mkdir /storetmp
  4. Using a program such as WinSCP, copy the downloaded SFS file to /storetmp on your QRadar® console.
  5. To change to the /storetmp directory, type the following command: cd /storetmp
  6. To mount the SFS file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs <patch file sfs name>.sfs /media/updates
    Example:
    mount -t squashfs -o loop
    730_QRadar_wincollectupdate-7.3.1-22.sfs /media/updates
  7. To run the patch installer, type the following command: /media/updates/installer

    Note: To proceed with the WinCollect Agent update, you must restart services on QRadar® to apply protocol updates. The following message is displayed:

    WARNING: Services need to be shut down in order to apply patches. This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N)?
  8. Type Y to continue with the update.

    During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the installer again, the patch installation resumes. After the installation is complete, services are restarted, and the user interface is available.

    Note: During installation, the following message is displayed:
    Patch 144249
    This patch includes a new version of the WinCollect Configuration Server.

    For this new version to run properly, the event collection service needs to be restarted. If you choose to not restart the service, agents cannot get new configurations and code updates until you restart it.

    Choices:
    1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.
    2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
    3. Abort patch

    After you choose an option, the patch installation continues. When it is complete, press the Enter key to exit the patch screen.
  9. If you selected the second option in step 8, you must complete the following steps:
    In the QRadar
    ® admin settings, click
    Advanced > Deploy Full Configuration.
    In the QRadar® admin settings, click
    Advanced > Restart Event Collection Services.
  10. To unmount the SFS file from the Console, type the following command: umount/media/updates
  11. (Optional) Verify that WinCollect agents are configured to accept remote updates:
    a) Login to QRadar®.
    b) On the navigation menu, click Data Sources.
    c) Click the WinCollect icon.
    d) Review the Automatic Updates Enabled column and select WinCollect agents that have a False value.
    e) Click Enable/Disable Automatic Updates.

Results

Managed WinCollect agents with automatic updates enabled are updated and restarted. The amount of time it takes a managed agent to update depends on the configuration polling interval for the agent and the speed of the network connection between the Console and the agent.
In smaller deployments, updates take a few minutes. However, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 5 minutes when the WinCollect agent has the Enable Automatic Updates option set to true.
You can log in to QRadar® and review the agent list to verify that agents with enabled updates display 7.3.1.xx in the Version column. After one hour passes, you can review whether any WinCollect agents still show older agent versions in QRadar®.

QRadar® V7.3 RPMs contained in the WinCollect SFS installer

When the WinCollect SFS file is installed on the QRadar® Console appliance, the following RPM files are installed.

  • AGENT-WINCOLLECT-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectConfigServer-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectFileForwarder-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectJuniperSBR-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftDHCP-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftDNS-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftExchange-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftIAS-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftIIS-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftISA-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftSQL-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectNetAppDataONTAP-7.3-20210928014626.noarch

  • PROTOCOL-WinCollectWindowsEventLog-7.3-20210928014626.noarch

  • DSM-WinCollect-7.3-20160908133313.noarch

QRadar® V7.4 RPMs contained in the WinCollect SFS installer

When the WinCollect SFS file is installed on the QRadar® Console appliance, the following RPM files are installed.

  • PROTOCOL-WinCollectConfigServer-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftISA-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectNetAppDataONTAP-7.4-20210928014626.noarch

  • AGENT-WINCOLLECT-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftIIS-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftExchange-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftDNS-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectFileForwarder-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftIAS-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectJuniperSBR-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectWindowsEventLog-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftSQL-7.4-20210928014626.noarch

  • PROTOCOL-WinCollectMicrosoftDHCP-7.4-20210928014626.noarch

  • DSM-WinCollect-7.4-20191111023154.noarch

This information is for reference only. Don't install these RPMs themselves; instead, contact QRadar® Support for any installation issues.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbY7AAK","label":"QRadar-\u003EEvents-\u003EWincollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3, 7.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 March 2022

UID

ibm16491895