Release Notes
Abstract
This release note contains upgrade instructions, new features and improvements, and resolved issues in IBM® WinCollect Agent V7.3.1 p2.
Content
Quick links
- Known issues identified in WinCollect V7.3.1 p2
- About WinCollect V7.3.1 p2
- Prerequisites for the WinCollect upgrade
- How to upgrade to WinCollect v7.3.1 p2
- QRadar® 7.5 RPMs contained in the WinCollect SFS installer
Known issues identified in WinCollect V7.3.1 p2
WinCollect 7.3.1 p2 contains the following known issue:
- Using the agent installer to upgrade an agent that is installed on an second drive (Non C:\) overwrites the AgentConfig.xml file - APAR IJ32255
About WinCollect V7.3.1 p2
WinCollect 7.3.1 p2 contains only the fixes listed below. No new features have been added.
This release updates the IBM® QRadar® WinCollect Agent to display the build number so that you can easily determine which WinCollect agents are updated. Ask questions about this version or the upgrade to this version in our new WinCollect forums (WinCollect forum).
Resolved issues- Fixed an issue where the after upgrading QRadar to 7.5.0 UP4, managed WinCollect 7.X agents can fail to register or receive configuration updates - see APAR IJ45284
- Fixed an issue where the AGENT-WINCOLLECT rpm has a dependency on itself.
- Windows® Server 2022 (including Core)
- Windows® Server 2019 (including Core)
- Windows® Server 2016 (including Core)
- Windows® Server 2012 (including Core)
- Windows® 10 (most recent)
NOTE: WinCollect is not supported on versions of Windows® that moved to End Of Support by Microsoft®. After software is used beyond the Extended Support End Date, the product might still function as expected; however, IBM® does not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide.
IBM® Statement for WinCollect supported versions
Supported software versions for IBM® WinCollect are the latest version (n) and latest minus one (n-1). Therefore, the two newest versions of WinCollect are the versions that QRadar® support suggests with any support tickets (cases) that are opened. To prevent issues, it is important that you, as an administrator, keep WinCollect deployments updated when new versions are posted to IBM® Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums.
Prerequisites for the WinCollect V7.3.1 p2 upgrade
Installation prerequisites
This table is for managed WinCollect agents that receive updates from a QRadar® appliance. Stand-alone WinCollect agents can be updated by using the WinCollect Standalone patch installer file to update the agents on Windows® host (see following links).
Console's WinCollect version | Upgrades to WinCollect V7.3.1 p2 | Special instructions |
WinCollect V7.2.2 | No, requires the WinCollect 7.2.2-2 SFS file to be installed first. |
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
|
WinCollect V7.2.2-1 | No, requires the WinCollect 7.2.2-2 SFS file to be installed first. |
Do not use this agent version.
Upgrade to WinCollect V7.2.2-2, then install WinCollect 7.2.5.
|
WinCollect V7.2.2-2 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IV99280 and APAR IJ45284. |
WinCollect V7.2.3 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IV99280 and APAR IJ45284. |
WinCollect V7.2.4 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IV99280 and APAR IJ45284. |
WinCollect V7.2.5 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284. |
WinCollect V7.2.6 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284. |
WinCollect V7.2.7 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284. |
WinCollect V7.2.8 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284. |
WinCollect V7.2.9 | Yes |
Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284.
|
WinCollect V7.3.0 | Yes |
Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284.
|
WinCollect V7.3.1 | Yes | Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284. |
WinCollect V7.3.1 p1 | Yes |
Upgrade to WinCollect V7.3.1 p2. See APAR IJ45284.
|
Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
QRadar® version prerequisites
WinCollect V7.3.1 p2 supports QRadar® V7.5.0 Update 4 or later. WinCollect V7.2.5 is the minimum version required to upgrade to QRadar® V7.3.x (any patch level).
Tip: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.
Before you begin
To upgrade existing WinCollect agents, you must be an administrator.
Follow these guidelines:
- To avoid access errors in your log file, close all open QRadar® sessions.
- Verify that all changes are deployed on your appliances.
- Ensure that you schedule adequate maintenance time.
Installing the SFS file forces Tomcat to restart on the QRadar® Console, which logs out QRadar® users and stops any reports that are running in the background. - To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
- Install the WinCollect Agent SFS file only on the QRadar® Console appliance. Installing the WinCollect Agent update SFS on a managed host results in an error message.
WinCollect upgrade procedure
Install WinCollect V7.3.1 p2 only on the QRadar® Console. The console appliance replicates all required files to other QRadar® appliances in the deployment. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows® hosts with WinCollect V7.3.1 p2.
Note: If you are using stand-alone mode, you must download and install the WinCollect Patch Installer V7.3.1 p2 for each Windows® host and install the update locally on each agent.
WinCollect Patch Installer V7.3.1 p2 Links:
WinCollect Agent update links:
For more information about stand-alone mode, see IBM Documentation.
Procedure
These instructions are intended for standard (managed) upgrades of WinCollect.
- Download a WinCollect Agent (V7.3.1) bundle (.SFS) from the IBM® Fix Central website for your QRadar® version:
- QRadar® 7.5.x: 750_QRadar_wincollectupdate-7.3.1-28.sfs
Note: The installation process restarts services on the console, which creates a gap in event collection until services restart. Schedule the WinCollect upgrade during a maintenance window to avoid disrupting users.
- QRadar® 7.5.x: 750_QRadar_wincollectupdate-7.3.1-28.sfs
- Use SSH to log in to your Console as the root user.
- For initial installations, create the /storetmp and /media/updates directories if they do not exist. Type the following commands:
mkdir /media/updates
mkdir /storetmp - Using a program such as WinSCP, copy the downloaded SFS file to /storetmp on your QRadar® console.
- To change to the /storetmp directory, type the following command: cd /storetmp
- To mount the SFS file to the /media/updates directory, type the following command:
mount -o loop -t squashfs <patch file sfs name>.sfs /media/updates
Example: mount -t squashfs -o loop 730_QRadar_wincollectupdate-7.3.1-28.sfs /media/updates - To run the patch installer, type the following command: /media/updates/installer
Note: To proceed with the WinCollect Agent update, you must restart services on QRadar® to apply protocol updates. The following message is displayed:
WARNING: Services need to be shut down in order to apply patches. This will cause an interruption to data collection and correlation.
Do you wish to continue (Y/N)? - Type Y to continue with the update.
During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the installer again, the patch installation resumes. After the installation is complete, services are restarted, and the user interface is available.Note: During installation, the following message is displayed:
Patch 144249
This patch includes a new version of the WinCollect Configuration Server.
For this new version to run properly, the event collection service needs to be restarted. If you choose to not restart the service, agents cannot get new configurations and code updates until you restart it.Choices:
1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.
2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).
3. Abort patch
After you choose an option, the patch installation continues. When it is complete, press the Enter key to exit the patch screen. - If you selected the second option in step 8, you must complete the following steps:
In the QRadar® admin settings, click .
In the QRadar® admin settings, click . - To unmount the SFS file from the Console, type the following command: umount/media/updates
- (Optional) Verify that WinCollect agents are configured to accept remote updates:
a) Login to QRadar®.
b) On the navigation menu, click Data Sources.c) Click the WinCollect icon.
d) Review the Automatic Updates Enabled column and select WinCollect agents that have a False value.
e) Click Enable/Disable Automatic Updates.
Results
In smaller deployments, updates take a few minutes. However, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 5 minutes when the WinCollect agent has the Enable Automatic Updates option set to true.
QRadar® V7.5 RPMs contained in the WinCollect SFS installer
When the WinCollect SFS file is installed on the QRadar® Console appliance, the following RPM files are installed.
- AGENT-WINCOLLECT-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectConfigServer-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectFileForwarder-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectJuniperSBR-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftDHCP-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftDNS-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftExchange-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIAS-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftIIS-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftISA-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectMicrosoftSQL-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectNetAppDataONTAP-7.5-20230216203032.noarch.rpm
- PROTOCOL-WinCollectWindowsEventLog-7.5-20230216203032.noarch.rpm
This information is for reference only. Don't install these RPMs themselves; instead, contact QRadar® Support for any installation issues.
Was this topic helpful?
Document Information
Modified date:
25 April 2023
UID
ibm16954751