IBM Support

Release of WinCollect Agent V7.2.9

Release Notes


Abstract

This release note contains upgrade instructions and a list of fixed issues for IBM Security WinCollect Agent V7.2.9. Questions about this update can be discussed in the QRadar forums.

Content

Quick links

 

Known issues identified in WinCollect V7.2.9

There are no known issues specific to WinCollect V7.2.9 at this time.

About WinCollect V7.2.9

This release updates the IBM QRadar WinCollect Agent UI to display the build number in the agent. Now you can easily determine which WinCollect agents are updated. Questions about this version / upgrade can be discussed in our new WinCollect forums: WinCollect forum.

Features and resolved issues

  • Support for multiple line parsing in File Forwarder.
  • Windows Event Forwarding supports filtering on forwarded events and custom log source naming.
  • Support for TCP protocol for WinCollect heartbeat and status messages in stand-alone WinCollect deployments.
  • WinCollect DHCP supports Spanish and Polish.
  • The limit of 10 queries in an XPath was removed.
  • Support for milliseconds in WinCollect payload timestamps.
  • Support for NetApp 9.x.
  • Support for Windows Server 2019.
  • WinCollect installers are now digitally signed.
  • Increased the time it takes to reconnect/logon attempts if WinCollect cannot connect to remote machine.
  • Specific TLS ciphers can be disabled using a configuration file.
  • Sorting for log sources in the Configuration Console UI.
  • Fixed an issue where FQDN using MSEVEN6 causes access denied errors.
  • Fixed the WinCollect agent log to make it easier to read in plain text editors.
  • Fixed an issue where the WinCollect service may not restart the agent server properly.
  • Support for REMOTE, DSPOLL, or DSWRITE enteries with DNS Debug logging.
  • Event Caching memory improvements.
  • Fixed an Issue with Log Source Coalescing and WinCollect Log Source Auto Create.
  • Default for file-based protocols is now "Text (file opened when reading)."
  • WinCollect log sources now accept "_" and "/" in the Log Source Identifier field.
  • Fixed issue with ISA/TMG log sources and remote server reboot.
  • Fixed an issue with the Min/Max tuning profiles using the Log Source Management App.
  • Fixed a formatting issue with debug logging.


Supported Windows operating systems

  • Windows Server 2019 (including core)
  • Windows Server 2016 (including core)
  • Windows Server 2012 R2 (including core)
  • Windows Server 2008 R2 (including core)
  • Windows 10
  • Windows 8.1
  • Windows 7
  • Windows Vista

    NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is used beyond the Extended Support End Date, the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.

IBM Statement for WinCollect supported versions
Administrators should be aware that supported software versions for IBM WinCollect is the Latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions that QRadar Support will recommend with any support tickets (cases) that are opened. To prevent issues, it is important that administrators keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.


Prerequisites for the WinCollect V7.2.9 upgrade

Installation prerequisites
This table is intended for managed WinCollect agents that receive updates from a QRadar appliance. Stand-alone WinCollect agents can be updated by using the wincollect-standalone-patch-installer-7.2.9-72.exe file to update the agents on the Windows host.

Console's WinCollect version Upgrades to WinCollect V7.2.9 Special instructions
WinCollect V7.2.2 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect V7.2.2-2 and then install WinCollect 7.2.5.
WinCollect V7.2.2-1 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect V7.2.2-2 and then install WinCollect 7.2.5.
WinCollect V7.2.2-2 Yes Upgrade to WinCollect V7.2.9. See APAR IV99280.
WinCollect V7.2.3 Yes Upgrade to WinCollect V7.2.9. See APAR IV99280.
WinCollect V7.2.4 Yes Upgrade to WinCollect V7.2.9. See APAR IV99280.
WinCollect V7.2.5 Yes Upgrade to WinCollect V7.2.9.
WinCollect V7.2.6 Yes Upgrade to WinCollect V7.2.9.
WinCollect V7.2.7 Yes Upgrade to WinCollect V7.2.9.
WinCollect V7.2.8 Yes Upgrade to WinCollect V7.2.9.

Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.


QRadar version prerequisites
This table outlines the WinCollect version requirements for QRadar.

QRadar version Special instructions
QRadar V7.2.8 Patch 7 or above If you are on a WinCollect version between V7.2.2-2 to V7.2.4, see APAR IV99280.
QRadar V7.3.x WinCollect V7.2.5 is the minimum version required to upgrade to QRadar V7.3.x (any patch level).

Table 2: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
 

Before you begin

  • To avoid access errors in your log file, close all open QRadar sessions.
  • Verify that all changes are deployed on your appliances.
  • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
  • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
  • The WinCollect Agent SFS file can be installed only on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed host will display an error message to the administrator.

WinCollect upgrade procedure


This section outlines how to install WinCollect V7.2.9 on the QRadar Console. The WinCollect update needs only to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment. To upgrade existing WinCollect agents, the administrator must install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect V7.2.9.

NOTE: If you are using 'stand-alone' mode, you must download and install the WinCollect Patch Installer V7.2.9 for each Windows host and install the update locally on each agent. For more information about stand-alone mode, see the WinCollect Guide.

Procedure
These instructions are intended for standard (managed) upgrades of WinCollect. The instructions provided below are for managed WinCollect installations.

  1. Download a WinCollect Agent (v7.2.9) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user. This SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.
  3. Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as /root or /storetmp for QRadar 7.3.0 Consoles.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the installer file. For example, cd /tmp
  6. To mount the patch file to the /media/updates directory, type one of the following commands:
    • QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-7.2.9-72.sfs /media/updates
    • QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-7.2.9-72.sfs /media/updates
  7. To run the installer, type the following command: /media/updates/installer

    NOTE: To proceed with the WinCollect Agent update, you must restart the services on QRadar to apply protocol updates. The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N)?

     
  8. Type Y to continue with the update.

    NOTE: During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.
     
  9. WARNING: Patch 144249 includes a new version of the WinCollect Configuration Server. If you do not restart the event collection service, agents cannot get new configurations and code updates.
Perform one of the following tasks:
  • Restart event collection service at the end of the patch installation on the Console and on all managed hosts patched from the Console.
  • Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
  • Abort the patch installation.
  1. The administrators can delete the WinCollect update SFS file from the QRadar Console.
  2. To unmount the SFS file from the Console, type the following command: umount /media/updates
  3. (Optional) If you selected option #2 in Step 9, select Advanced > Restart Web Server on the Admin tab.

Results
Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes; however, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.

Administrators can log in to QRadar and review the agent list to verify that agents with updates enabled display 7.2.9 in the Version column. After one hour of time has passed, the administrator can review if any WinCollect agents that still show older agent versions in QRadar. If the QRadar Console is at QRadar V7.2.8 Patch 7 or later and you are attempting to upgrade from WinCollect V7.2.2-2 to WinCollect V7.2.4, you might be experiencing the upgrade issue outlined here: IV99280.

QRadar 7.2 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect V7.2.9 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves; instead contact QRadar Support for any installation issues.
NEED NEW RPM LISTS

  • AGENT-WINCOLLECT-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectConfigServer-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftDHCP-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftDNS-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftIAS-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftSQL-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftISA-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftIIS-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectJuniperSBR-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectWindowsEventLog-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftExchange-7.2-20190501134740.noarch
  • DSM-WinCollect-7.2-922053.noarch
  • PROTOCOL-WinCollectNetAppDataONTAP-7.2-20190501134740.noarch
  • PROTOCOL-WinCollectFileForwarder-7.2-20190501134740.noarch

QRadar 7.3 RPMs contained in the WinCollect SFS installer


The following RPM files are contained within the WinCollect V7.2.9 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves; instead contact QRadar Support for any installation issues.
NEED NEW RPM LISTS

  • PROTOCOL-WinCollectMicrosoftExchange-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftDNS-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftIIS-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectWindowsEventLog-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftSQL-7.3-20190501134740.noarch
  • DSM-WinCollect-7.3-20160908133313.noarch
  • PROTOCOL-WinCollectMicrosoftDHCP-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectJuniperSBR-7.3-20190501134740.noarch
  • AGENT-WINCOLLECT-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectFileForwarder-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectConfigServer-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftIAS-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectNetAppDataONTAP-7.3-20190501134740.noarch
  • PROTOCOL-WinCollectMicrosoftISA-7.3-20190501134740.noarch

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":""}]

Document Information

Modified date:
08 May 2019

UID

ibm10878150