IBM Support

Release of WinCollect Agent 7.2.2-2

Release Notes


Abstract

A list of the installation instructions and fixes for IBM Security WinCollect Agent 7.2.2-2.

Content

A new SFS file has been posted to IBM Fix Central for WinCollect Agent version 7.2.2-2. This update resolves two critical issues reported in the WinCollect 7.2.2-1 release.

Issues resolved in WinCollect 7.2.2-2
Number Description
IV68390 WINCOLLECT 7.2.2 LOG SOURCES THAT USE DEFINED CREDENTIALS TO COLLECT EVENTS MIGHT CAUSE A LOCKOUT CONDITION.
IV68841 DELETED WINCOLLECT AGENTS OR IMPROPERLY DECOMMISSIONED AGENTS CAN GENERATE MULTIPLE WINCOLLECT.EXE INSTANCES IN WINDOWS.


How to upgrade a WinCollect deployment to version 7.2.2-2

To upgrade to WinCollect 7.2.2-2, the administrator only needs to install the SFS file on the QRadar Console appliance. The SFS contains protocol updates and WinCollect Agent software to remotely update Windows hosts with WinCollect 7.2.2-2.

Required QRadar Version Current WinCollect Agent Version Step 1 Step 2
QRadar 7.1 MR2 Patch 1 or above
(7.1.1.581477)
*WinCollect 7.1.2 or above **WinCollect Agent (v7.2.2-2) bundle (.sfs)

Install one of the following based on your Console version:

QRadar 7.1: WinCollect 7.2.2-2 (SFS for QRadar 7.1)

QRadar 7.2: WinCollect Agent 7.2.2-2 (SFS)
Not required
* Port 443 must be open between the Console and the Windows host before upgrading to the WinCollect Agent.
** Port 8413 must be open between the Console and the Windows host before upgrading to WinCollect 7.2.0 or above.




How to complete a fresh install of WinCollect 7.2.2-2

Administrators with WinCollect Agent version 7.1.1 must ensure that port 8413 is open, then reinstall the WinCollect Agent on their Windows systems. The WinCollect Agent 7.2.2-2 (sfs) file must be installed on the QRadar Console before installing the EXE file on the Windows host. Any WinCollect Agents that have Enable Automatic Updates column set to True will receive the WinCollect Agent 7.2.2-2 software update from the Console.

Minimum Required QRadar Version Step 1 Step 2 Step 3 Step 4
QRadar 7.1 MR2 Patch 1 or above
(7.1.1.581477)
Install **WinCollect Agent (v7.2.2-2 ) bundle (.sfs)

Install one of the following based on your Console version:

QRadar 7.1: WinCollect 7.2.2-2 (SFS for QRadra 7.1)

QRadar 7.2: WinCollect Agent 7.2.2-2 (SFS)


Install **WinCollect 7.2.2 (.exe)

Note: For fresh agent installations the 32-bit or 64-bit exe file must be installed after the SFS file. This prevents encryption key issues from occurring.

Install one of the following based on your Windows version:

WinCollect Agent 64-bit installer for Windows

WinCollect Agent 32-bit installer for Windows
Create TCP or UDP syslog destinations for your QRadar appliances from the Admin tab > WinCollect icon > Destinations. Create log sources for your WinCollect agents from the Admin tab > WinCollect > Select an agent > Log Sources icon.

From the log sources interface, administrators can add individual log sources or bulk add log sources to a WinCollect agent.
* Port 443 must be open between the Console and the Windows host before upgrading to the WinCollect Agent.
** Port 8413 must be open between the Console and the Windows host before upgrading to WinCollect 7.2.0 or above.

Before you begin

  • To avoid access errors in your log file, close all open QRadar sessions.
  • Verify that all changes are deployed on your appliances.
  • Installing the SFS file forces a Tomcat restart on the Console, which will log out QRadar users and stop any reports running in the background. Administrators should be aware of this service restart to schedule maintenance time appropriately.
  • Installing the SFS file forces a restart of the WinCollect service on the remote Windows host. When the WinCollect Service restarts, there is no loss in event data from your Windows systems and no operating system impact.
  • It is possible for the administrator to prevent a software update to a critical business asset or server from the WinCollect agent list on the Admin tab. The Enable Automatic Updates field must be set to false before you install a RPM or SFS file to the Console to prevent a system from being updated. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21685330.
  • The WinCollect Agent SFS file can only be installed on the QRadar Console appliance. Installing the WinCollect Agent update SFS on a managed hosts will display an error message to the administrator.

About this task


Procedure

  1. Download a WinCollect Agent (v7.2.2-2) bundle (.SFS) from the IBM Fix Central website for your QRadar version:
  • Using SSH, log in to your Console as the root user.
  • Copy the fix pack to the /tmp directory on the QRadar Console.
    Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
  • To create the /media/updates directory, type the following command: mkdir -p /media/updates
  • Change to the directory where you copied the patch file. For example, cd /tmp
  • To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs 7x0_QRadar_wincollectupdate-7.<version>.sfs /media/updates
  • To run the patch installer, type the following command:
    /media/updates/installer

    NOTE: To proceed with the WinCollect Agent update services need to be restarted on QRadar to apply protocol updates. This The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches. This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N?


  • To continue with the update, type Y to continue.

    During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. After the installation is complete, services are restarted and the user interface is available.
  • Log in to QRadar and review the agent list to verify that agents with updates enabled display 7.2.2 in the Version column and that events are being received by QRadar.

    Note: By default, agents request configuration updates every 10 minutes if the WinCollect agent has Enable Automatic Updates set to true.


  • Results

    A summary of the installation advises you of any issues that occurred during the install.



    WinCollect RPMs contained in the SFS installer


    Files packaged in the 720_QRadar_wincollectupdate-7.2.0.201.sfs bundle

    AGENT-WINCOLLECT-7.2-1018607.noarch.rpm

    PROTOCOL-WinCollectConfigServer-7.2-1005042.noarch.rpm
    PROTOCOL-WinCollectFileForwarder-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectJuniperSBR-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectMicrosoftDHCP-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectMicrosoftIAS-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectMicrosoftIIS-7.2-1005042.noarch.rpm
    PROTOCOL-WinCollectMicrosoftISA-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectMicrosoftSQL-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectNetAppDataONTAP-7.2-1003958.noarch.rpm
    PROTOCOL-WinCollectWindowsEventLog-7.2-1007919.noarch.rpm



    -------
    Where do you find more information?



    Document information

    More support for: IBM QRadar SIEM

    Component: Documentation

    Software version: 7.2

    Operating system(s): Linux

    Software edition: All Editions

    Reference #: 7045054

    Modified date: 17 June 2018