IBM Support

How to upgrade legacy WinCollect versions (7.0/7.1.0/7.2.2) to the latest release

Question/Answer


Question

This technical note describes how to upgrade legacy WinCollect verisons to the latest available release of WinCollect. Since there is no direct upgrade path for some legacy versions, this tech note covers the procedure to get your QRadar system updated.

Answer

About

WinCollect does not have a direct upgrade path from version 7.0 or 7.1.0 due to the number of functional changes and improvements to WinCollect. However, an administrator can go through the process as a fresh WinCollect install, then associate existing log sources with the WinCollect 7.2.6 agents. The installation procedure for moving from WinCollect 7.0/7.1.0 to the latest WinCollect version is a special installation process. This procedure should only be followed by administrators with WinCollect agents at version 7.0 or 7.1.0.

Upgrade Path

Upgrading to from legacy versions of WinCollect requires administrators to have WinCollect 7.2.2-2 and 7.2.5 installed as these are baseline versions required before you can proceed to the latest release of WinCollect. In some cases, depending on your version you might need to
Current WinCollect Version Step 1 Step 2 Step 3 Notes
7.0 No upgrade path from this version. This article walks administrators through the reinstall process to get older versions of WinCollect to the latest software revision. No longer available on IBM Fix Central.
7.1.0 No upgrade path from this version. This article walks administrators through the reinstall process to get older versions of WinCollect to the latest software revision. No longer available on IBM Fix Central.
7.1.1* Install WinCollect 7.1.2 Install WinCollect 7.2.2-2 Install WinCollect 7.2.5 Each SFS defined in this table must be installed on the QRadar Console in the order defined to upgrade to the latest version.

NOTE: Most of these legacy versions are no longer available on IBM Fix Central.
7.1.2* Install WinCollect 7.2.2-2 Install WinCollect 7.2.5 Install WinCollect 7.2.7
7.2.0** Install WinCollect 7.2.2-2 Install WinCollect 7.2.5 Install WinCollect 7.2.7
7.2.2** Install WinCollect 7.2.2-2 Install WinCollect 7.2.5 Install WinCollect 7.2.7
7.2.2-1** Install WinCollect 7.2.2-2 Install WinCollect 7.2.5 Install WinCollect 7.2.7
7.2.2-2** Install WinCollect 7.2.5 Install WinCollect 7.2.7 N/A
7.2.3** Install WinCollect 7.2.5 Install WinCollect 7.2.7 N/A
7.2.4** Install WinCollect 7.2.5 Install WinCollect 7.2.7 N/A
7.2.5** Install WinCollect 7.2.L N/A N/A IMPORTANT: WinCollect 7.2.5 or later is a required install before administrators can update or install QRadar 7.3.0.
7.2.6** Install WinCollect Latest N/A N/A No longer available on IBM Fix Central.
7.2.7** Install WinCollect Latest N/A N/A Currently supported version
7.2.8** Install WinCollect Latest N/A N/A Currently supported version
Administrators who are on legacy versions of WinCollect should talk to us in our forums before you start an upgrade as several of these versions are no longer publicly available on IBM Fix Central. Support might be required to retrieve these version files to upgrade; however, it is best to discuss if an upgrade or if a new install is most efficient upgrade path based on the number of agents deployed on legacy versions.  To talk to us about legacy WinCollect updates, see: https://ibm.biz/wincollectforums.
* Ensure Port TCP 443 & 8413 (bidirectional) is open between the Console and the agent BEFORE you go to step 2.
** Ensure Port TCP 8413 (bidirectional) is open between the Agent and the QRadar appliance. Port TCP/8413 was introduced in the WinCollect 7.2.0 release.

 

Process overview

This section is a general overview of the steps required to migrate from WinCollect 7.0/7.1.0 to WinCollect 7.2.7 (latest). Each check box below has a corresponding section with detailed instructions to assist the administrator.


  • Step 1: Verify QRadar Versions and Required Ports
  • Step 2: Removing WinCollect Agents from the QRadar User Interface
  • Step 3: Uninstalling the WinCollect Agent on the Windows host
  • Step 4: Installing the QRadar Console with WinCollect Agent 7.2.6
  • Step 5: Installing the WinCollect Agent EXE on the Windows host
  • Step 6: Verifying WinCollect Agents are Auto Discovered
  • Step 7: Editing Log Sources to Reconnect to the WinCollect Agent
 

 

Step 1: Verify QRadar Versions and Required Ports

WinCollect requires QRadar 7.1 MR2 Patch 1 or WinCollect 7.1.2 to be able to upgrade, as well as certain firewall ports to be open between the QRadar appliance and the Windows server hosting the WinCollect agent. Before any software is installed, the following ports must be opened and the QRadar deployment must be upgraded to meet the minimum software requirements.

Port requirements:

  • TCP 8413 for log source management from the QRadar appliance
  • TCP 514 or UDP 514 for events

QRadar version requirements:
  • 7.1 MR2 Patch 1 (absolute minimum required version)
  • 7.1 MR2 Patch 12 (recommended patch level by support for QRadar 7.1.x administrators)
  • 7.2.1 Patch 3 (minimum recommended patch level by support for QRadar 7.2.x administrators)
  • 7.3.x requires a minimum of WinCollect 7.2.5 or later.

    Important. If an administrator needs to upgrade the QRadar Console software to a newer version, it is recommended that they install QRadar 7.2.1 Patch 3 if they plan to use non-Console appliances to manage remote WinCollect agents. Administrators on 7.1 MR2 Patch 12 must have the Console managing all of their WinCollect agents and up to 500 WinCollect agents can be installed in their network. Certain features require QRadar 7.2.1 Patch 3 to function that administrators might want in order to expand on what appliances can manage a WinCollect deployment.. The following image explains features that require certain QRadar versions.
 

Step 2: Removing WinCollect Agents from the QRadar User Interface

This step requires administrator privileges in QRadar to have access to the Admin tab. The administrator needs to remove WinCollect 7.0 or 7.1.0 agents using the WinCollect icon on the Admin tab of QRadar. The reason for removing the agents is to ensure that they get added back to QRadar correctly. When an agent is deleted in the user interface, the existing log sources associated with the agent are disabled. Deleting the agent allows the administrator to associate the log sources to the new WinCollect agents after the installation process is complete.

Before you begin

Optional. Renaming existing WinCollect agents is not a required step, however, it ensures that the WinCollect agent automatically rediscover after the SFS installation of WinCollect even if an existing host name or host identifier name is reused during the agent installation. If the administrator wants to reuse a name or host name value, then it is recommended that existing 7.0/7.1.0 agents be renamed, which updates the agent database. When an agent is deleted, the named values still reside in the database. Renaming the agent first ensures that database changes do not need to be made later on if any administrator needs to reuse a name or host name value.


Procedure

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Select the WinCollect icon. The Agents list displays existing agents that have been added to WinCollect.
  4. To rename an existing WinCollect agent, double-click on a WinCollect agent.
  5. In the and update the Name field and Host Name field.

    For example:

    Figure 2: Optional. Renaming 7.0 or 7.1.0 WinCollect agents ensures that a name can be reused when WinCollect 7.2.3 is installed.
  6. Click Save.

    Results
    After the agents are renamed, the database is updated with the ".old" host identifiers and host name values. The administrator can now safely delete the 7.0 or 7.1.0 WinCollect agent.

  1. Log in to the QRadar Console as an admin user.
  2. Click the Admin tab.
  3. Click the WinCollect icon.
    The list of WinCollect agents is displayed.


    Figure 3: How to delete a WinCollect agent.
  4. Select a WinCollect 7.0 or 7.1.0 agent and click Delete.
  5. If prompted, click OK to delete the agent from the user interface.
  6. Repeat this process until all 7.0 and 7.1.0 agents are deleted from the Agents list.

    Results
    The agents are removed from the QRadar user interface. All of the WinCollect log sources still exist in QRadar, but they are currently disabled. Later on, the administrator can associate the log sources to an updated WinCollect agent to reconnect the old log source and continue receiving events.

Step 3: Uninstalling the WinCollect Agent on the Windows host

The next step for administrators is to uninstall the WinCollect software on the Windows host. The WinCollect installer will uninstall the application, but some additional file clean up is recommended.

Procedure 
  1. Log in to the Windows system hosting the legacy WinCollect agent.
  2. From desktop of the WinCollect host, select Start > Programs > WinCollect > Utility > Uninstall WinCollect.
  3. Click Yes to continue.
    After the process is complete, a message is displayed to indicate that WinCollect was removed from your Windows host. The administrator will be prompted to reboot the Windows host.
  4. Click OK.
    The WinCollect agent is uninstalled from the host.
  5. Navigate to %ProgramData% in Windows explorer.
  6. If there is a %ProgramData%\WinCollect directory, delete the WinCollect directory.
    This folder keeps cached events and bookmark data from the last time the WinCollect agent polled the Windows Event Viewer for event data. These bookmarks must be cleared to ensure that the new installation can collect event data properly. A new bookmark file will be created at installation time when you install the new WinCollect agent.
  7. Press Windows key + R and type services.msc.
  8. Verify the WinCollect service is removed from the service list.
    If you did not restart the Windows host, the WinCollect service might be displayed in the Services list.


    Results
    The WinCollect agent is uninstalled from the Windows host.


 

Step 4: Upgrading the QRadar Console to the latest WinCollect version

The purpose of this procedure is to install the WinCollect Agent bundle 7.2.2-2 on the QRadar Console, then install of WinCollect Agent bundle 7.2.5. These are baseline versions and required before you can upgrade to WinCollect 7.2.7. The administrator must update the Console appliance to the latest WinCollect version. The bundle contains all of the protocols required to communicate and managed remote WinCollect agents from the Admin tab in QRadar. The WinCollect SFS file must be installed on the QRadar Console after all WinCollect 7.0/7.1 agents have been uninstalled.
 
Procedure
  1. Download the WinCollect Agent versions. A bundling download link for the latest version is available here: https://ibm.biz/wincollect101.
  2. Using SSH, log in to your Console as the root user.
  3. Copy the fix pack to the /tmp directory on the QRadar Console.
    Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp
  6. To mount the WinCollect update to the /media/updates directory, type the following command:  mount -o loop -t squashfs 720_QRadar_wincollectupdate-{version}.sfs /media/updates
    NOTE:
    IBM Fix Central hosts WinCollect update files for both 7.3.x versions and 7.2.x versions as shown at the start of the filename.
  7. To run the patch installer, type the following command: /media/updates/installer

    NOTE:
    To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This will log off any users currently logged in to the Console user interface. The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.
    Do you wish to continue (Y/N?
  8. To continue with the update, type Y to continue. It might take several minutes for the installation to complete.
  9. Log in to the QRadar Console as an administrator, click the Admin tab > Deploy Changes. Note: It might take several minutes for the full deploy and web server restart to complete.
  10. Using SSH, log in to the QRadar Console as the root user.
  11. From the command-line, type service tomcat restart.
  12. After tomcat restarts, type the following command to remove the mount point: umount /media/updates.
  13. To mount the WinCollect 7.2.6 patch file to the /media/updates directory, type the following command:
    • QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-{version}.sfs /media/updates
    • QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-{version}.sfs /media/updates
  14. To run the patch installer, type the following command: /media/updates/installer

    NOTE:
    To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This will log off any users currently logged in to the Console user interface. The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.
    Do you wish to continue (Y/N?

     
  15. To continue with the update, type Y to continue. It might take several minutes for the installation to complete.
  16. Log in to the QRadar Console as an administrator, click the Admin tab > Deploy Changes. Note: It might take several minutes for the full deploy and web server restart to complete.
  17. Using SSH, log in to the QRadar Console as the root user.
  18. From the command-line, type service tomcat restart.
  19. After tomcat restarts, type the following command to remove the mount point: umount /media/updates.

    Results
    The WinCollect Agent and related protocols are installed on the Console. There is no need to install the SFS files on any other appliance as the QRadar Console will replicate any files and changes to other QRadar managed hosts in the network. You are now ready to install the WinCollect Agent setup (EXE) on your Windows host.


 

Step 5: Installing the WinCollect Agent EXE on the Windows host

The next step in the process is to install the WinCollect 7.2.6 Agent (EXE) on the Windows host. Older versions of WinCollect did not require authorized service tokens, however, for security purposes we have implemented encrypted tokens to ensure that only authorized WinCollect agents can communicate to the QRadar appliances.

Before you begin

An authentication token is required during the WinCollect install. The authorization token is required by QRadar to manage WinCollect agents. The administrator can use the existing WinCollect authentication token.

Procedure
To view the existing authentication token.

  1. Click the Admin tab.
  2. Click the Authorized Services icon.
  3. Click Add Authorized Service.
  4. Users on QRadar 7.2.7 or later can assign the User Role named WinCollect to the authorized service token.

    Note: QRadar 7.2.6 and earlier versions do not include a default WinCollect User Role. The following article describes the minimum user permissions required for an authorized service token: https://www.ibm.com/developerworks/community/forums/html/topic?id=121982bb-dfe5-4b8f-bde0-008fd19606b8&ps=25
  5. Select the No Expiry check box.
  6. Click Create Service.
  7. Select the WinCollect authentication token or create a new authorized service token. The token must not be expired.
  8. Copy the value as it is required for the WinCollect Agent install.

    Results
    You are now ready to install the WinCollect EXE on the Windows host. The next procedure walks customers through a managed install of WinCollect 7.2.6.

Procedure
Parameter Description Version requirement?
Host Identifier Type a unique identifier for each WinCollect agent you install. Administrators can use the property %computername% in this field to automatically populate the hostname as defined by the Windows operating system. This value will be used as the agent name in the WinCollect agents list.

Optionally, values such as Windows-%COMPUTERNAME% can also be used or values such as, SiteA-%ComputerName%
No, required installation parameter for all WinCollect installs
Authentication Token Type the authorized service token that you created in QRadar, for example,
af111ff6-4f30-11eb-11fb-1fc117711111.

For more information about authorized service tokens and permissions, see: Minimum permissions for a WinCollect authorized service token.
No, required installation parameter for all WinCollect installs
Configuration Server (host and port) Type the IP address or hostname of the QRadar appliance that will manage this WinCollect agent.

If you use a hostname, the value must resolve in your network. For example, administrators can type the IP address 10.10.10.10 or use myhost.

This field defines the configuration server that manages the WinCollect agent. For administrators on QRadar 7.1 MR2 Patch 12, this will always be the IP address or hostname of the QRadar Console. To use a QRadar Event Collector or Event Processor as your Configuration Server, your QRadar deployment must be updated to V7.2.1 Patch 3 or later.
No. This field is required for all standard WinCollect installations. Administrators using 'stand-alone' mode can leave this parameter blank. Using 'stand-alone' mode is uncommon for standard deployments and used in very large WinCollect

  1. Download the WinCollect Agent EXE setup file. For a single download link, see: https://ibm.biz/wincollect101.
    NOTE: The IBM Fix Central link above includes both a 64-bit and 32-bit download. In most cases, administrators will want to install the 64-bit version of WinCollect as it offers higher performance, but we offer a 32-bit option for customers who have 32-bit Windows hosts.
  2. Copy the WinCollect Agent EXE to the Windows host.
  3. If the Services window is open on the Windows host, close it to prevent failure of the WinCollect agent installation.
  4. Right-click the WinCollect Agent EXE file and select Run as administrator. The installation wizard is displayed.
  5. Select the I accept the terms in the license agreement option and click Next.
  6. Type a name in the User Name field.
  7. Type a name in the Organization field and click Next.
  8. Select an installation directory for WinCollect and click Next.
  9. Select Managed as the WinCollect setup type and click Next.
  10. Configure the following values:

    Important: In the next step, the host identifier should be a unique value from your previously deleted agent. If you did not rename WinCollect agents to .old as described in Step 2, then you might be required to manually add WinCollect agents later on in Step 6.

  11. To create a log source at installation time, click the Enable Automatic Log Source Creation check box and populate the values.
  12. To configure the log source to use advanced tuning parameters, fill in the values on the screen and click Next.



    The Event Rate Tuning Profile and Polling Interval values determine the EPS rate for the log source. Leaving the values as-is allows the agent to collect at approximately 40 events per second (EPS). The log source can be tuned in the user interface at a later time if you are unsure on how to configure these values. To discover the EPS rate on a Windows host, see our Get Event Log Report tool.
  13. Optional. To define an alternate Status Server, type an IP address or hostname and click Next.

    This field defines where the WinCollect agent sends status messages, such as heartbeat events, Service Started, Service Stopped, falling behind on event collection, and more. If this field is left blank, status messages are automatically sent to the address defined as the default Status Server address.
  14. Review the installation summary and click Next.

    NOTE: The WinCollect 7.2.6 installer now provides command-line installation parameters so that the administrator has an example that can be used as a template for other installations.
  15. Click Install to start the installation process.

    Results
    The WinCollect Agent EXE is installed on the Windows host.
 

Step 6: Verifying WinCollect Agents are Auto Discovered

Log in to QRadar and review the agent list to verify that agents with updates enabled display the correct information in the Version column and that events are being received by QRadar. If the agent has not been discovered by QRadar, the administrator might need to wait if a large number of agents are being deployed. If post 8413 is open as stated in the requirements above, then most agents will auto discover in approximately 5-15 minutes.
 

Note: By default, agents request configuration updates every 5 minutes if the WinCollect agent has Enable Automatic Updates set to true. This value defines if agents can be remotely updated by the Console.
 
If the agent does not automatically discover  
  • Verify port TCP 8413 is open between the QRadar appliance and the Windows host. Administrators can telnet on port 8413 to verify if communication is possible. Alternately, administrators can verify port 8413 is open on the Console using the "netstat -nlp | grep 8413" command.
  • Verify that Enable Automatic Updates is set to true for all agents. To verify the status of automatic updates for your agent, administrators can review the Agents list from the Admin tab > WinCollect > Agents in QRadar.
  • If an agent does not automatically discover, then the administrator can manually create the agent from the Admin tab. To manually create a WinCollect agent. Click the Admin tab > WinCollect > Agents > Add and fill out the values for the remote WinCollect agent. 

Step 7: Editing Log Sources to Reconnect to the WinCollect Agent

The last step is to edit the existing WinCollect log sources and reassign them to an agent.

Procedure  
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. Locate an existing WinCollect log source and double-click on the log source.
  5. From the WinCollect Agent list, select an agent to manage the log source.

  6. Verify that the Enabled check box is selected.
  7. Click Save.
 



Where do I find more information?


Document information

More support for: IBM QRadar SIEM

Component: WinCollect

Software version: 7.2, 7.3

Operating system(s): Linux, Windows

Reference #: 1698127

Modified date: 24 April 2019