Troubleshooting
Problem
WinCollect 7 agents configured for remote management from the QRadar Console can write, 'Server redirected too many times (20)' messages in qradar.error. This error indicates that there is a mismatch with the Authorized Service token used by WinCollect. The resolution for the WinCollect agents to regain their ability to register and receive configuration updates is to replace the expired Authorized Service Token.
Cause
Authorized Service Token is expired. When this issue occurs, the following error is displayed in the logs in qradar.log:
[WinCollectConfigHandler_49] com.q1labs.sem.semsources.wincollectconfigserver.util.WinCollectConsole: [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Agent(xxx.xxx.xxx.xxx) PERF-1200 exception calling console –
[WinCollectConfigHandler_49] java.net.ProtocolException: Server redirected too many times (20)
[WinCollectConfigHandler_49] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920)
Environment
WinCollect 7.x agents with QRadar SIEM appliances.
Note: The procedure defined in this technical note does not apply to QRadar on Cloud deployments as managed mode is not supported.
Note: The procedure defined in this technical note does not apply to QRadar on Cloud deployments as managed mode is not supported.
Diagnosing The Problem
How to verify whether the Authorized Service Token is Expired.
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- In the User Management section, click Authorized Services.
- Confirm the expiration date of the Authorized Service Token used by WinCollect.
Results
Expired authorized service tokens must be replaced. You must create a new authorized service token for agents to communicate to the Console. For more information, see Creating an authorized service token. Managed agents are expected to use the WinCollect user role for remote agents. The WinCollect user role provides required, but minimum permissions to the QRadar Console for security purposes.
Resolving The Problem
To resolve the issue, you must create a new authorized service token, update existing managed agents with your authorized service token, then update the PEM file on each managed WinCollect agent.
Procedure
- From the QRadar Console, click Admin > Authorized Services.
- Select the WinCollect token and copy the value.
- Open a remote desktop (RDP) session the Windows host with the WinCollect agent.
- From the Windows Start menu, click Start > All Programs > Administration Tools > Services.
- Select the WinCollect service.
- Click Stop.
- Press the Windows logo key +R, type cmd and press Ctrl+Shift+Enter to start the command prompt in administrator mode.
Note: The command prompt must use administrator mode for this procedure to complete successfully. - Navigate to the bin directory for the WinCollect agent. The default path is C:\Program Files\IBM\WinCollect\bin.
- To change the authentication token for your WinCollect agent, type:
InstallHelper.exe -T authentication_token_value
InstallHelper.exe -T xxxxx-xxxx-xxxx-xxxx-xxxxx
- Change to the config directory for the WinCollect agent. The default path is C:\Program Files\IBM\WinCollect\config.
cd C:\Program Files\IBM\WinCollect\config
- Rename the ConfigurationServer.PEM file to ConfigurationServer.PEM.old.
ren ConfigurationServer.PEM ConfigurationServer.PEM.old
- From the Windows Start menu, click Start > All Programs > Administration Tools > Services
- Select WinCollect.
- Click Start.
- Refresh the contents of the C:\Program Files\IBM\WinCollect\config directory and confirm a new ConfigurationServer.PEM file is provided.
Note: If a PEM file is not provided, a firewall or IDP is blocking port 8413 on either the inbound or outbound connection or between your agent and the QRadar appliance. You must resolve your connection issue before the agent can register. To troubleshoot TCP connections with your network team, in Powershell, type:Test-NetConnection -ComputerName <configurationServerIP> -Port 8413 -InformationLevel "Detailed"
Results
After the WinCollect service starts, the agent can use the new PEM file to communicate to the configserver protocol and register the agent. If your agent does not register, confirm that a new PEM file is provided in the C:\Program Files\IBM\WinCollect\config directory or diagnose any firewall issues in your network. Bidirectional communication is required on TCP port 8413 between the WinCollect agent and the QRadar appliance. If you continue to experience issues, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 July 2023
UID
ibm17013475