Content

Quick links





Known issues identified in WinCollect 7.2.7





APAR Description IJ01089 HIGH CPU LOAD OBSERVED AFTER UPGRADING WINCOLLECT TO VERSION 7.2.7 AND USING MSEVEN6 IJ01531 WINCOLLECT CAN SOMETIMES STOP GATHERING WINDOWS IIS LOGS UNTIL A RESTART OF THE AGENT OCCURS IV96284 UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS





About WinCollect v7.2.7

A new SFS file has been posted to IBM Fix Central for WinCollect version 7.2.7. This installation will install new software on the QRadar appliance and require a Deploy Full Configuration. A full deploy will restart services on all appliances in the deployment to load the protocol changes for WinCollect protocol plug-ins. A gap in event collection will occur while services are restarting. Administrators that have any long running reports should ensure these are complete before installing this WinCollect update. Restarting the web server will log off all users while the web server restarts. Any reports in progress will need to be manually started after the user interface is available. This update resolves multiple issues reported in the previous WinCollect release. Questions about this version / upgrade can be discussed in our new WinCollect forums here: WinCollect forum .

Features and resolved issues

APAR Description IV98218 ADDED SUPPORT FOR DNS DEBUG LOGGING ON WINDOWS SERVER 2008 (32-BIT). IV96608 WINCOLLECT 7.2.6 STOPS COLLECTING EVENTS ON WINDOWS COMPUTERS AFTER THEY REBOOT/RESTART.



Known QRadar issue for older WinCollect versions

APAR Description IV99280 Administrators on WinCollect 7.2.2-2 to 7.2.4 might experience an issue when they attempt to upgrade managed WinCollect agents if the QRadar version is 7.2.8 Patch 7 to 7.2.8 Patch X. A Java 8 update was added in QRadar 7.2.8 Patch 7 and later where TLSv1.0 / TLSv1.1 is disabled. Administrators on old versions of WinCollect can install the WinCollect 7.2.7 SFS update, but might experience an issue where managed agents that cannot upgrade properly as described in APAR IV99280 . A work around is available through QRadar Support .



Supported Windows operating systems Windows Server 2016



Windows Server 2008 (most recent)



Windows Server 2008 Core



Windows Server 2012 (most recent)



Windows Server 2012 Core



Windows 7 (most recent)



Windows 8 (most recent)



Windows 10 (most recent)



Windows Vista (most recent)



NOTE: WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is beyond the Extended Support End Date the product might still function as expected; however, IBM will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For more information, see the WinCollect User Guide .



IBM Statement for WinCollect supported versions

Administrators should be aware that supported software versions for IBM WinCollect is the Latest version (n) and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions that QRadar Support will recommend with any support tickets (cases) that are opened. To prevent issues, it is important that administrators keep WinCollect deployments updated when new versions are posted to IBM Fix Central. For questions related to this statement, ask in the WinCollect forum: http://ibm.biz/wincollectforums .





Prerequisites for the WinCollect 7.2.7 upgrade

Installation prerequisites

This table is intended for managed WinCollect agents that receive updates from a QRadar appliance. Stand-alone WinCollect agents can be updated using the 7.2.0-QRADAR-wincollect-standalone-patch-installer-7.2.7-20.exe file to update the agents on Windows host.

Console's WinCollect version Upgrades to WinCollect 7.2.7? Special instructions WinCollect 7.2.2 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect 7.2.2-2, then install WinCollect 7.2.5. WinCollect 7.2.2-1 No, requires the WinCollect 7.2.2-2 SFS file to be installed first. No administrators should be using this agent version. Upgrade to WinCollect 7.2.2-2, then install WinCollect 7.2.5. WinCollect 7.2.2-2 Yes Upgrade to WinCollect 7.2.7. See APAR IV99280 . WinCollect 7.2.3 Yes Upgrade to WinCollect 7.2.7. See APAR IV99280 . WinCollect 7.2.4 Yes Upgrade to WinCollect 7.2.7. See APAR IV99280 . WinCollect 7.2.5 Yes Upgrade to WinCollect 7.2.7. WinCollect 7.2.6 Yes Upgrade to WinCollect 7.2.7. Important: Table 1: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.





QRadar version prerequisites

This table is intended to outline WinCollect version requirements for QRadar. QRadar version Special instructions QRadar 7.2.8 Patch 7 or above If you are on a WinCollect version between 7.2.2-2 to 7.2.4, see APAR IV99280 . QRadar 7.3.0 WinCollect 7.2.5 is the minimum version required to upgrade to QRadar 7.3.0 (any patch level). Table 2: The WinCollect version for managed agents can be found in the Agent list on the Admin tab.







Before you begin To avoid access errors in your log file, close all open QRadar sessions.



Verify that all changes are deployed on your appliances.



Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.



It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. To prevent a host from being updated, the Enable Automatic Updates field must be set to false before you install the SFS file to the Console. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330 .

tab. To prevent a host from being updated, the field must be set to before you install the SFS file to the Console. For more information, see .

The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.









WinCollect upgrade procedure

This section outlines how to install WinCollect 7.2.7 on the QRadar Console. The WinCollect update only needs to be installed on the QRadar Console. The Console appliance will replicate all required files to other QRadar appliances in the deployment. To upgrade existing WinCollect agents, the administrator must to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.7.: If you are using 'Stand-alone' mode, you must download and install the WinCollect Patch Installer 7.2.7 for each Windows host and install the update locally on each agent. For more information about Stand-alone mode, see the WinCollect Guide

Procedure

These instructions are intended for standard (managed) upgrades of WinCollect. The instructions provided below are for managed WinCollect installations.

Download a WinCollect Agent (v7.2.7) bundle (.SFS) from the IBM Fix Central website for your QRadar version:

QRadar 7.2.x: 720_QRadar_wincollectupdate-7.2.0.511.sfs

QRadar 7.3.x: 730_QRadar_wincollectupdate-7.3.0.106.sfs



Note: The installation process will restart services on the Console, which will create a gap in event collection until services restart. Administrators should be aware of the service restart so they can schedule the WinCollect upgrade during a maintenance window.





Using SSH, log in to your Console as the root user. This SFS file is only installed on the QRadar Console. There is no need to install the WinCollect SFS on non-Console appliances.

Copy the fix pack to the /tmp directory on the QRadar Console. If space in the /tmp directory is limited, copy the SFS to another location that has sufficient space, such as /root or /storetmp for QRadar 7.3.0 Consoles.

To create the /media/updates directory, type the following command: mkdir -p /media/updates

Change to the directory where you copied the patch file. For example, cd /tmp

To mount the patch file to the /media/updates directory, type one of the following commands:

QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-7.2.0.511.sfs /media/updates

QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-7.3.0.106.sfs /media/updates

To run the patch installer, type the following command: /media/updates/installer



NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:



WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.



Do you wish to continue (Y/N?





To continue with the update, type Y to continue.



During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.

The administrators can delete the WinCollect update SFS file from the QRadar Console..

To unmount the SFS file from the Console, type: umount /media/updates

Log in to the QRadar Console user interface.



Important: Completing the full deploy will restart services on all appliances in the deployment to load the protocol changes. A gap in event collection will occur while services are restarting. Administrators that have any long running reports should ensure these are complete before step #11. Restarting the web server will log off all users while the web server restarts. Any reports in progress when the web server is restarted will need to be manually started after the user interface is available.



From the Admin tab, select Advanced > Deploy Full Configuration.

From the Admin tab, select Advanced > Restart Web Server.

Administrators should wait for the WinCollect agent to update the remote Windows host with the latest software. In smaller deployments, updates should only take a few minutes, however, larger WinCollect deployments might take an hour or two to fully update. By default, agents request configuration updates every 10 minutes if the WinCollect agent hasset toAdministrators can log in to the QRadar user interface and review the agent list to verify that agents with updates enabled displayin thecolumn. After one hour of time has passed, the administrator can review if any WinCollect agents that still show older agent versions in the QRadar user interface. If the QRadar Console is at QRadar 7.2.8 Patch 7 or later and you are attempting to upgrade from WinCollect 7.2.2-2 to WinCollect 7.2.4, you might be experiencing the upgrade issue outlined here: IV99280





QRadar 7.2 RPMs contained in the WinCollect SFS installer

The following RPM files are contained within the WinCollect 7.2.7 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.

AGENT-WINCOLLECT-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftSQL-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftDNS-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftIAS-7.2-20170822145159.noarch



PROTOCOL-WinCollectNetAppDataONTAP-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftISA-7.2-20170822145159.noarch



PROTOCOL-WinCollectWindowsEventLog-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftDHCP-7.2-20170822145159.noarch



PROTOCOL-WinCollectJuniperSBR-7.2-20170822145159.noarch



PROTOCOL-WinCollectMicrosoftIIS-7.2-20170822145159.noarch



PROTOCOL-WinCollectConfigServer-7.2-20170822145159.noarch



DSM-WinCollect-7.2-922053.noarch



PROTOCOL-WinCollectFileForwarder-7.2-20170822145159.noarch

QRadar 7.3 RPMs contained in the WinCollect SFS installer

The following RPM files are contained within the WinCollect 7.2.7 SFS file. When the WinCollect SFS file is installed on the Console appliance, the following RPM files are installed. This information is intended for reference only. Administrators should never attempt to install these RPMs themselves, instead contact QRadar Support for any installation issues.