IBM Support

Release of WinCollect Agent 7.2.7

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent 7.2.7. Questions about this update can be discussed in the QRadar forums.

Content

Quick links



Known issues identified in WinCollect 7.2.7



APARDescription
IJ01089HIGH CPU LOAD OBSERVED AFTER UPGRADING WINCOLLECT TO VERSION 7.2.7 AND USING MSEVEN6
IJ01531WINCOLLECT CAN SOMETIMES STOP GATHERING WINDOWS IIS LOGS UNTIL A RESTART OF THE AGENT OCCURS
IV96284UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS


About WinCollect v7.2.7

A new SFS file has been posted to IBM Fix Central for WinCollect version 7.2.7. This installation will install new software on the QRadar appliance and require a Deploy Full Configuration. A full deploy will restart services on all appliances in the deployment to load the protocol changes for WinCollect protocol plug-ins. A gap in event collection will occur while services are restarting. Administrators that have any long running reports should ensure these are complete before installing this WinCollect update. Restarting the web server will log off all users while the web server restarts. Any reports in progress will need to be manually started after the user interface is available. This update resolves multiple issues reported in the previous WinCollect release. Questions about this version / upgrade can be discussed in our new WinCollect forums here: WinCollect forum.

Features and resolved issues

APARDescription
IV98218ADDED SUPPORT FOR DNS DEBUG LOGGING ON WINDOWS SERVER 2008 (32-BIT).
IV96608 WINCOLLECT 7.2.6 STOPS COLLECTING EVENTS ON WINDOWS COMPUTERS AFTER THEY REBOOT/RESTART.


Known QRadar issue for older WinCollect versions

APARDescription
IV99280Administrators on WinCollect 7.2.2-2 to 7.2.4 might experience an issue when they attempt to upgrade managed WinCollect agents if the QRadar version is 7.2.8 Patch 7 to 7.2.8 Patch X. A Java 8 update was added in QRadar 7.2.8 Patch 7 and later where TLSv1.0 / TLSv1.1 is disabled. Administrators on old versions of WinCollect can install the WinCollect 7.2.7 SFS update, but might experience an issue where managed agents that cannot upgrade properly as described in APAR IV99280. A work around is available through QRadar Support.


    Supported Windows operating systems
    • Windows Server 2016
    • Windows Server 2008 (most recent)
    • Windows Server 2008 Core
    • Windows Server 2012 (most recent)
    • Windows Server 2012 Core
    • Windows 7 (most recent)
    • Windows 8 (most recent)
    • Windows 10 (most recent)
    • Windows Vista (most recent)

      NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is beyond the Extended Support End Date the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.


    IBM Statement for WinCollect supported versions
    Administrators should be aware that supported software versions for IBM WinCollect is the Latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions that QRadar Support will recommend with any support tickets (cases) that are opened. To prevent issues, it is important that administrators keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.


Prerequisites for the WinCollect 7.2.7 upgrade


    Installation prerequisites
    This table is intended for managed WinCollect agents that receive updates from a QRadar appliance. Stand-alone WinCollect agents can be updated using the 7.2.0-QRADAR-wincollect-standalone-patch-installer-7.2.7-20.exe file to update the agents on Windows host.

    Console's WinCollect versionUpgrades to WinCollect 7.2.7?Special instructions
    WinCollect 7.2.2No, requires the WinCollect 7.2.2-2 SFS file to be installed first.No administrators should be using this agent version. Upgrade to WinCollect 7.2.2-2, then install WinCollect 7.2.5.
    WinCollect 7.2.2-1No, requires the WinCollect 7.2.2-2 SFS file to be installed first.No administrators should be using this agent version. Upgrade to WinCollect 7.2.2-2, then install WinCollect 7.2.5.
    WinCollect 7.2.2-2 YesUpgrade to WinCollect 7.2.7. See APAR IV99280.
    WinCollect 7.2.3YesUpgrade to WinCollect 7.2.7. See APAR IV99280.
    WinCollect 7.2.4YesUpgrade to WinCollect 7.2.7. See APAR IV99280.
    WinCollect 7.2.5YesUpgrade to WinCollect 7.2.7.
    WinCollect 7.2.6YesUpgrade to WinCollect 7.2.7.
    Important:
    Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.


    QRadar version prerequisites
    This table is intended to outline WinCollect version requirements for QRadar.
    QRadar versionSpecial instructions
    QRadar 7.2.8 Patch 7 or aboveIf you are on a WinCollect version between 7.2.2-2 to 7.2.4, see APAR IV99280.
    QRadar 7.3.0WinCollect 7.2.5 is the minimum version required to upgrade to QRadar 7.3.0 (any patch level).
    Table 2: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.



    Before you begin

    • To avoid access errors in your log file, close all open QRadar sessions.
    • Verify that all changes are deployed on your appliances.
    • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
    • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
    • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.



WinCollect upgrade procedure


This section outlines how to install WinCollect 7.2.7 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment. To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.7.


NOTE: If you are using 'Stand-alone' mode, you must download and install the WinCollect Patch Installer 7.2.7 for each Windows host and install the update locally on each agent. For more information about Stand-alone mode, see the WinCollect Guide.

    Procedure
    These instructions are intended for standard (managed) upgrades of WinCollect. The instructions provided below are for managed WinCollect installations.
      1. Download a WinCollect Agent (v7.2.7) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
      2. Using SSH, log in to your Console as the root user. This SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.
      3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as /root or /storetmp for QRadar 7.3.0 Consoles.
      4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
      5. Change to the directory where you copied the patch file. For example, cd /tmp
      6. To mount the patch file to the /media/updates directory, type one of the following commands:
        • QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-7.2.0.511.sfs /media/updates
        • QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-7.3.0.106.sfs /media/updates
      7. To run the patch installer, type the following command: /media/updates/installer

        NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

        WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

        Do you wish to continue (Y/N?


      8. To continue with the update, type Y to continue.

        During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.
      9. The administrators can delete the WinCollect update SFS file from the QRadar Console..
      10. To unmount the SFS file from the Console, type: umount /media/updates
      11. Log in to the QRadar Console user interface.

        Important: Completing the full deploy will restart services on all appliances in the deployment to load the protocol changes. A gap in event collection will occur while services are restarting. Administrators that have any long running reports should ensure these are complete before step #11. Restarting the web server will log off all users while the web server restarts. Any reports in progress when the web server is restarted will need to be manually started after the user interface is available.

      12. From the Admin tab, select Advanced > Deploy Full Configuration.
      13. From the Admin tab, select Advanced > Restart Web Server.
    Results
    Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.

    Administrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled display 7.2.7 in the Version column. After one hour of time has passed, the administrator can review if any WinCollect agents that still show older agent versions in the QRadar user interface. If the QRadar Console is at QRadar 7.2.8 Patch 7 or later and you are attempting to upgrade from WinCollect 7.2.2-2 to WinCollect 7.2.4, you might be experiencing the upgrade issue outlined here: IV99280.


QRadar 7.2 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect 7.2.7 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.

    • AGENT-WINCOLLECT-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftSQL-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftDNS-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftIAS-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectNetAppDataONTAP-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftISA-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectWindowsEventLog-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftDHCP-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectJuniperSBR-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectMicrosoftIIS-7.2-20170822145159.noarch
    • PROTOCOL-WinCollectConfigServer-7.2-20170822145159.noarch
    • DSM-WinCollect-7.2-922053.noarch
    • PROTOCOL-WinCollectFileForwarder-7.2-20170822145159.noarch



QRadar 7.3 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect 7.2.7 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.

    • AGENT-WINCOLLECT-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectJuniperSBR-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectConfigServer-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectMicrosoftDHCP-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectNetAppDataONTAP-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectMicrosoftISA-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectFileForwarder-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectWindowsEventLog-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectMicrosoftSQL-7.3-20170822145232.noarch
    • DSM-WinCollect-7.3-20160908133313.noarch
    • PROTOCOL-WinCollectMicrosoftIAS-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectMicrosoftDNS-7.3-20170822145232.noarch
    • PROTOCOL-WinCollectMicrosoftIIS-7.3-20170822145232.noarch


    Where do I find more information?




[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Release Notes","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions"}]

Document Information

Modified date:
17 June 2018

UID

swg27049809