WinCollect: WinCollect managed hosts and Migration scenarios

Troubleshooting

Problem

There are cases where either a Windows host is rebuilt or migrated to a new appliance. What are the steps required for administrators to either reinstall managed WinCollect?

Resolving The Problem

Administrators might be in a situation where they need to rebuild a WinCollect host, a QRadar Console, or managed host. The term configuration server applies to a QRadar appliance, which is passing any Log Source and other configuration changes to the WinCollect agent. The configuration server might not be the appliance that is receiving events from a WinCollect host. This article provides a checklist for certain situations to assist administrators who need to rebuild their WinCollect host or configuration servers.

Before you begin

You must be an administrator or have and administrator role.
Install the WinCollect software at the latest version.
Back up the <drive>:\Program Files\IBM\WinCollect\config folder from the host you are migrating.
On each QRadar configuration server, create a backup of /store/configservices/wincollect/configserver/<WinCollect hosts>.
You need an Authentication token from the QRadar Console for your WinCollect host.

There are situations where WinCollect hosts, or configuration servers require rebuilding. This article is a guide on some typical situations.

WinCollect and Configuration server rebuilds

This procedure assumes that the Console or managed hosts are using the same hostnames and IP addresses. If the Console or managed host is being decommissioned, then you need to update the install_config.txt file on the WinCollect host with the new configuration server host name or IP address.

When the Configuration Server is a rebuilt Console
1. Log in to the QRadar as an admin User.
2. Click the Admin tab.
3. Under User Management, click Authentication Services.
4. Create an Authorization token.
5. Save the Authorization token used to reregister the WinCollect hosts.
6. Log in to your WinCollect hosts as an admin user.
7. Open a CMD or PowerShell window with administrator permissions.
8. From C:\WINDOWS\system32, stop the WinCollect service.
```
C:\WINDOWS\system32> net stop WinCollect
The WinCollect service was stopped successfully. 
or 
Windows PowerShell Copyright (C) Microsoft Corporation. 
PS C:\WINDOWS\system32> Stop-Service WinCollect
```
9. Navigate to C:\Program Files\IBM\WinCollect\config.
10. Delete or move your Configuration.PEM file.
11. Navigate to C:\Program Files\IBM\WinCollect\bin.
12. Type: InstallHelper.exe -T <Authorization Token from step 4> "C:\Program Files\IBM\WinCollect\config\install_config_autocreate.txt"
  Note: You need to open the CMD command prompt as an administrator to run InstallHelper.exe.
13. Start the WinCollect service from C:\WINDOWS\system32:
```
C:\WINDOWS\system32> net start WinCollect
The WinCollect service is starting.
The WinCollect service was started successfully.
or
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> Start-Service WinCollect
```
  Results
  The WinCollect host is now registered with the Configuration server.
When the Configuration Server is a rebuilt Managed Host
If you do not have a saved authorization token, use the steps from the previous section to generate an authorization token.
1. Log in to your WinCollect hosts as an admin user.
2. Open the Services App.
3. Stop the WinCollect Service.
4. Navigate to C:\Program Files\IBM\WinCollect\config, rename or move your Confguration.PEM file.
5. Open the Services App.
6. Start the WinCollect service.
  
  Results
  The WinCollect host is now registered with the Configuration server.

WinCollect and Host rebuilds

This procedure is when administrators need to do a clean installation of managed WinCollect on a Windows host that is rebuilt.

Download the WinCollect software package from fix Central.
Install the WinCollect software package.
Accept the License agreement and click Next.
Enter the Host Identifier, Authorization token, Configuration Console host, and port.
Click Next.
Optional: click the checkbox to Create a Log Source and the information to create the Log Source.
Click Next.
Enter the Heartbeat Parameters.
Click Next.
Review the Installer Parameters.
Click Next > Install.
Log in to the Console as an admin user.
Click Admin tab > Data Sources > WinCollect.
Check for that the WinCollect agent and Log source exist.

WinCollect Host and Clean registration of Agents

This procedure is for WinCollect managed hosts where there is an existing host that needs to the WinCollect software reinstalled.
For this case, you need to rebuild the configuration on the configuration server.

SSH to the QRadar Console as root user.
If the configuration server is not the Console, use SSH to connect to the managed host that is the configuration server.
Navigate to /store/configservices/wincollect/configserver/
Move all folders for hosts you are clean registering out of the configserver directory.
Locate the Authorization token you are using for your WinCollect hosts.
Log in to your WinCollect hosts as an admin user.
Open a CMD or PowerShell window with administrator permissions.

C:\WINDOWS\system32> net stop WinCollect
The WinCollect service was stopped successfully. 
or 
Windows PowerShell Copyright (C) Microsoft Corporation. 
PS C:\WINDOWS\system32> Stop-Service WinCollect

Navigate to C:\Program Files\IBM\WinCollect\config
Delete or move your Configuration.PEM file.
Navigate to C:\Program Files\IBM\WinCollect\bin
Type: InstallHelper.exe -T <Authorization Token from step 4> "C:\Program Files\IBM\WinCollect\config\install_config_autocreate.txt"
Note: You need to open the CMD command prompt as an administrator to run InstallHelper.exe.

Start the WinCollect service.

C:\WINDOWS\system32> net start WinCollect
The WinCollect service is starting.
The WinCollect service was started successfully.
or
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> Start-Service WinCollect

Results
The WinCollect agent is registered to the Configuration server.

Migrating from Managed WinCollect 7.3.1 to WinCollect 10 stand-alone

Before you begin:

Before stand-alone WinCollect 10 is installed, uninstall Managed WinCollect.
If you installed managed WinCollect in a nondefault directory, you first need to ensure that you first installed, or upgraded to WinCollect 7.3.1-28 before you do any other steps. Refer to IJ32255: WINCOLLECT 7.3.0 P1 (7.3.0-41) AGENTS THAT ARE NOT INSTALLED ON DRIVE C:\ OF THE WINDOWS COMPUTER CAN STOP SENDING EVENTS
You Can Upgrade stand-alone WinCollect 7.3.1-28 to WinCollect 10.

Procedure to uninstall the Managed WinCollect agent
1. Log in to the Windows host with the WinCollect agent installed.
2. Navigate to the WinCollect config directory.
  Note: The default installation path for this directory is C:\Program Files\IBM\WinCollect\config. However, the installation path might have been customized to the D drive or an external drive.
3. Open the install_config.txt file.
4. Record the value in the ApplicationIdentifier field.
  Note: It is important for administrators to record the value exactly as displayed in the install_config.txt file.
5. Open the command prompt as an administrator.
6. To stop the WinCollect service, type:
```
  net stop WinCollect
```
7. Important. To prevent losing your configuration, ensure your agentConfig.xml file stored in a safe location before you uninstall the WinCollect agent in the next step.
  Note: The default installation path for this file is C:\Program Files\IBM\WinCollect\config\agentConfig.xml.
8. To uninstall the WinCollect agent, type:
```
  "msiexec /x{1E933549-2407-4A06-8EC5-83313513AE4B} REMOVE_ALL_FILES=True /qn"
```
9. Verify that the WinCollect directory is removed from the C:\Program File\IBM directory.
  Note: The default installation path for this directory is C:\Program Files\IBM\WinCollect\config. However, the installation path might have been customized to the D drive or an external drive.
10. Optional: Use the Add or Remove applications app to remove WinCollect.
  
  Results
  Managed WinCollect is removed.
Procedure to upgrade WinCollect stand-alone WinCollect agents
1. Press Windows+R.
2. Type cmd.
3. Press Ctrl+Shift+Enter.
  With the Administrator: Command prompt windows open, use one of the following methods to run the WinCollect 10 .msi upgrade script.
4. To run the WinCollect 10 upgrade wizard, type the following command in the administrative command prompt:
  msiexec.exe /i WinCollect-10.X.X-X.x64.msi
5. To run the WinCollect 10 silent upgrade, type the following command in the administrative command prompt:
  msiexec.exe /qn /i WinCollect-10.X.X-X.x64.msi
  Results
  The WinCollect agent is updated. After the upgrade is complete, you can close the command prompt window.

Related Information

Upgrading to WinCollect 7.3.0: Reinstalling managed and stand-alone agents

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.3;7.5.0"}]

Tips