IBM Support

QRadar: How to Restore Deleted WinCollect Agents

How To


Summary

If an administrator deletes a managed WinCollect agent from the user interface, the software interprets this is an agent that no longer sends events to QRadar. Use the following steps to reregister deleted agents that are already in the database, or to reuse names of VMs that were deleted.

Environment

This procedure applies to WinCollect 7.3.1 agents on the following QRadar versions:
  • QRadar 7.5.x
  • QRadar 7.4.3
  • 7.4.2 FP1 and greater
  • 7.4.1 FP2 and greater
  • 7.3.3 FP6 and greater

Steps

Scenario 1 - Reregister an agent that is already in the database.
 
QRadar administrators can use this solution to readd an agent. If you know the name of the "Application" Identifier that was used when the agent was deleted, go to the QRadar WinCollect/Agent UI screen and Add the agent and use the same name. If you don't know the identifier of the agent, you must access the Windows host and browse to C:\Program Files\IBM\WinCollect\config\, open install_config.txt, and copy the "ApplicationIdentifier=" value to use when you add the agent in the QRadar UI.
Procedure: Populate the Configure WinCollect Agent interface
  1. In the Name field, type WinCollect @ <ApplicationIdentifier value>.
  2. In the Hostname field, type the <ApplicationIdentifier value>.
  3. Type a description, such as WinCollect agent installed on <ApplicationIdentifier value>.
  4. In the WinCollect Vision field, type the version.
  5. In the OS Version field, type the Microsoft operating system version.
  6. Click Save and then wait at least 5 minutes for the QRadar appliance to communicate back to the agent.
Log Sources
When an agent is disabled or deleted, the log sources associated to that agent are disabled.  When you re-enable an agent, you must use the Log Source Management app to re-enable the log sources. Then wait another 5 minutes for the configuration changes to get sent to your agent before your log sources start again.
If there is a bookmark file for the log source, the agent starts processing the oldest event possible if it is still available in the event logging system.
Scenario 2 - Reusing VMs that were deleted
If you want to reuse VMs with the same names as those agents that you have deleted, the Windows Admin can use this solution to add agents back to your QRadar deployment. You can determine that the agent was deleted by reviewing the WinCollect.log file to see the following line:
10-29 12:38:51.451 INFO  SRV.Code.ConfigurationPatchStrategy : The server has informed us that we are deleted.

You can reregister agents that were marked as deleted without the need to reinstall. The Windows admin must drop a force.register file into the C:\Program Files\IBM\WinCollect\patch\ directory, and then restart the WinCollect service. The force.register file disappears, and the agent is then ready to be redeployed. The QRadar admin must then deploy the agent to complete the registration process.
Tip: Use a Powershell script to reregister a large number of agents.
Log Sources
When an agent is disabled or deleted, the log sources associated to that agent are disabled.  When you re-enable an agent, you must use the Log Source Management app to re-enable the log sources. Then, wait another 5 minutes for the configuration changes to get sent to your agent before your log sources start again.
If there is a bookmark file for the log source, the agent starts processing the oldest event possible if it is still available in the event logging system.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.1;7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
25 January 2022

UID

ibm16540292