Troubleshooting
Problem
Symptom
Cause
- Agent Version: An older WinCollect agent can lack optimizations and updates, which are crucial for efficient performance. Making sure that the agent is up to date can help mitigate some issues.
- Event Sources and Protocols:
- If the WinCollect agent is using the MSEVEN protocol (as opposed to MSEVEN6) to collect events, it might affect performance due to differences in protocol efficiency and compatibility.
- If WinCollect is collecting events from sources such as IIS, Exchange, DHCP, SQL Server, DNS Debug, DNS Analytical, or File Forwarder, the volume and complexity of data can impact performance.
- Large File Sizes: WinCollect processes events from files, and larger file sizes increase the processing time. As file size grows, the system requires more resources to read and analyze the data, leading to delays.
- Number of Files: WinCollect attempts to monitor all files in a specified folder unless a specific filename filter is used. An increase in the number of files in a target folder can impact performance, as it takes longer to scan and filter through the files.
- Event Rate Configurations: To avoid overwhelming the system and potential data loss, it's crucial to tune log sources according to the event rate. Default settings might not be optimized for the specific workload or data volume, which can lead to delays and inefficiencies in data processing. Properly adjusting the log sources ensures smooth operation and reliable data handling.
- Resource Limitations: The WinCollect agent host might not meet the minimum hardware and software requirements, resulting in performance bottlenecks.
Diagnosing The Problem
Check the WinCollect Version
You can do either A or B (of both):
A. Check in Log Activity
- Login to your QRadar GUI and go to the Log Activity tab.
- Use a search filter like Log Source (indexed) Equals names like "WinCollect @ ..." and a suitable time interval.
B. Connect to the WinCollect host over RDP. Open the file: C:\Program Files\IBM\WinCollect\logs\upgrade_log.txt
WC 7 Agent Version
Aug 03 16:14:25
WinCollect 7.3.1.28 - 20230216-203032 InstallHelper starting...
Performing a Restart
Waiting for the existing process 2224 to terminate by itself.
The process terminated successfully.
Service start pending...
WinCollect 7.3.1.28 - 20230216-203032 InstallHelper complete. Exiting with code 0
WC 10 Agent Version
May 19 2024 11:52:34 Installed WinCollect version 10.1.10.11
Check the Event Rate
Connect to the WC host over RDP. Event rate can be checked from the file, C:\Program Files \IBM\WinCollect\logs\Statistic.txt
WC 7 Statistics.txt:
trg._eventcollector1044_srv_qradar_TCP 60 Minutes: 38 644 587 554 672 628 530 616 418 485 625 575 581 621 524 517 553 411 572 459 458 486 600 603 668 618 475 693 620 624 649 387 486 602 513 471 644 556 418 566 544 525 654 497 576 607 658 461 577 609 481 521 406 683 617 562 671 423 533 581 ==>> 14 Hours: 542/1845 573/1889 596/1737 548/2648 557/1673 545/1875 571/1820 579/1875 572/2777 582/2406 579/1956 578/2484 567/2499 449/1650
WC 10 Statistics.txt:
Destination//QRadar:
51/1751,15/96,13/104,18/274,72/500,14/112,15/104,13/116,16/274,66/480,64/596,20/358,13/100,25/400,64/400,14/105,15/108,13/108,17/274,66/402,28/400,15/117,14/107,17/286,59/400,97/500,24/289,36/400,17/204,20/400,64/400,14/105,33/400,150/577
Check the Large File Sizes and Number of files in the Target Folder
- Microsoft® IIS Source: Number of files in C:\inetpub\logs\LogFiles\
- Microsoft Exchange Server source: Number of files in C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs
- Microsoft DHCP Server source: Number of files in C:\Windows\System32\DHCP
- Microsoft SQL Server source: Check the size of the file in C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Log
- Microsoft DNS Debug source: No default value, as the file location is configured when you set up DNS Server debugging. Check the size of the file in the configured target folder.
- IBM File Forwarder source: Directory where the log files that you want to pull data from are stored. Check the file sizes and number of files.
Resolving The Problem
- Verify the WinCollect agent host meets the minimum hardware and software requirements.
- Verify that the WinCollect agent is on the newest version. If the agent is on an older version, upgrade it to the newest version, which can be found on IBM Fix Central.
-
Verify that the WinCollect agent is collecting events using the MSEVEN6 protocol and that the Event Rate Tuning profile is configured according to the event rate observed in WinCollect.log.
-
WinCollect 7: There are 3 Event Rate Tuning Profiles. If high EPS is observed, set the Tuning profile to Max event rate.
For Configuration: Go to QRadar Admin tab > In Data sources section > Click Log sources > Open the Log source configuration.
- WinCollect 10: There are 6 Event Rate Tuning Profiles. Automatic Tuning is a preferred option. If high EPS is observed, set the Tuning profile to Max event rate.
For Configuration Open WinCollect Configuration Console on Windows host.
Enable Advanced UI from Settings. Then from the Menu > Local Sources > Local > Security > Tuning Profile.
You also need to update the configuration for Application, System, and other sources if configured.
-
- Since WinCollect is monitoring all the files in the target folder, move any obsolete or old files, from which events have already been collected, to a different directory.
- For holistic event rate and performance tuning assistance, you can consult IBM Security Expert Labs (paid service).
- In case you were unable to resolve the issue, raise an IBM Qradar Support Case.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 July 2024
UID
ibm17154411