The error message: 'WinCollect Agent mismatch. RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match' is generated when a version mismatch exists between the QRadar Console and a managed WinCollect agent. Administrators who experience this error message can confirm software versions are identical between their QRadar appliance and managed WinCollect agents.
- To view error messages from an individual agent, administrators can select the QRadar Admin tab and click the WinCollect icon. Select your agent and click Show Events to display all log activity search for all status messages from the WinCollect agent sorted by newest event. Status messages from the WinCollect agent will include information, warning, and error messages from the selected WinCollect agent.
- Administrators who have access to the remote Windows host should verify the following message in C:\Program Files\IBM\WinCollect\WinCollect.log
INFO SRV.System.WinCollectSvc.Service : Config change (or patch) detected on configuration server. Attempting to download and extract...
INFO SRV.Code.ConfigurationPatchStrategy : Retrieving Configuration Update
ERROR SRV.Code.ConfigurationPatchStrategy : RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match, exp:[FINGERPRINT INFORMATION] act:[FINGERPRINT INFORMATION]
WARN SRV.System.WinCollectSvc.Service : Config change (or patch) download failed validation. Not applying.
Diagnosing The Problem
For Managed WinCollect agents
From the Console command line as root user type: /opt/qradar/support/WinCollectHealthCheck.sh -d
Figure 1: Output displays information on the WinCollect software installed on the Console. AgentCore is the WinCollect application in QRadar.
Compare this to the version list for all managed WinCollect Agents from the WinCollectHealthSummary utility or to the version list in the user interface:
Agent Name Version Time of last heartbeat Location of Config File
LAPTOP-N1002211 126.96.36.199 2019-05-29 14:34:53.102 192.168.0.80
LAPTOP-A9354424 188.8.131.52 2019-05-29 14:34:52.912 192.168.0.80
LAPTOP-LALM1223 184.108.40.206 2019-05-29 14:34:54.932 192.168.0.80
LAPTOP-GAL22392 220.127.116.11 2019-05-29 14:34:53.906 192.168.0.80
Optional. Administrators can use the agent list from the user interface to verify their WinCollect agent versions (Admin tab > WinCollect).
Figure 2: Review the Version column to determine the software version for a WinCollect agent to determine if it differs from the AgentCore version listed.
Administrators should note the version difference between the Console install 7.2.8-145 and the version on the Windows hosts 7.2.9-72. If there are version differences, fingerprint error messages can be displayed in logs and status events. The administrator will need to ensure that the software versions match is resolved to prevent future errors.
Resolving The Problem
- Download the latest WinCollect SFS file from IBM Fix Central.
- Using SSH, log in to your Console as the root user. The SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.
- Copy the WinCollect SFS file to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as the /storetmp directory on QRadar 7.3.x Consoles.
- To verify that the mount point /media/updates exists, type: mkdir -p /media/updates
- To mount the SFS file, type the command for your QRadar version:
- QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-<version>.sfs /media/updates
- QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-<version>.sfs /media/updates
- Install the WinCollect SFS file: /media/updates/installer
NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. The following message is displayed:
WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.
Do you wish to continue (Y/N)?
- To continue with the update, type Y to continue.
- When the update completes, remove the mounted SFS file with the following command: umount /media/updates
Administrators should verify if any agents have automatic updates disabled. WinCollect agents that have the Automatic Updates Enabled column as 'False' will need to click the Enable/Disable Automatic Updates button in the WinCollect user interface to set the Automatic Update Enabled status to 'True'. Software updates for managed agents are only allowed to send software updates to remote Windows hosts when Automatic Updates Enabled displays 'True'.
Was this topic helpful?
03 November 2021