There is a field in WinCollect called, "ConfigurationServer=" that will have the IP address or hostname of the QRadar appliance that manages your agent. You can just open the install_config.txt file and remove the IP or hostname value, then save the file. This essentially breaks the connection from QRadar to the WinCollect agent.
- On the Windows host with the WinCollect agent installed.
- Navigate to the WinCollect directory.
The default installation directory is C:\Program Files\IBM\WinCollect\config
- Edit the file install_config.txt
- In the ConfigurationServer field, clear (remove) the IP or Hostname. For example,
ConfigurationServer=
- Save the changes.
- Restart the WinCollect agent service.
- To confirm stand-alone mode, review the log files in C:\Program Files\IBM\WinCollect\logs\WinCollect.log
- Agents configured for stand-alone mode, display the following message when the service starts:
01-14 23:27:12.152 INFO Code.ConnectionFactory : No configuration server was specified in the install parameters; operating in 'stand-alone' mode (configuration updates must be manually applied).
01-14 3:27:12.152 INFO System.ComponentFactory : Service ConnectionFactory v7.2.9 initialized
- Repeat this procedure for each WinCollect agent you want to configure in stand-alone mode.
But my doubts are :
1 - Do i need to reinstall wincollects?
This is a yes and no answer.
- No, if you convert existing agents to stand-alone mode, there is no need to reinstall them.
- Yes, for any agents that are still managed (connected to QRadar) that you plan to keep in managed mode, you will need to install WinCollect 7.3.1-28 after you go to QRadar 7.5.0 UP6. See the 3rd question, but there is a change in QRadar that affects managed communication for QRadar 7.5.0 UP4 or later, which you will experience that is documented for WinCollect in APAR IJ45284.
2 - What to do with wincollect entries at QRadar end once i convert them to standalone.
It depends on what you plan to do. If you plan to expand your deployment, you can leave this in place for now. You could potentially reconnect them to QRadar by putting back in the original hostname or IP address. As the agents reach out to establish a connection to QRadar (agents request updates), it will not hurt anything to leave them as-is for now. Those agents will show offline, but that is okay as they are still sending events, they are just not being managed by QRadar anymore. I typically recommend that users install the Configuration Console so that they can edit log sources in the future in case a change is required. Optionally, you could always reconnect that agent (put it back in managed mode by filling in the ConfigurationServer= value, making a change, then disconnecting it again). It is typically easier just to edit with the WinCollect Configuration Console (stand-alone log source editor).
3 - Also, i am planning to upgrade QRadar from 7.4.3 FP1 to 7.5.6 FP6, so do i need to convert wincollects first or go for an upgrade?
After you upgrade to 7.5.0 UP4 or later there is a known issue that breaks communications for managed agents: https://www.ibm.com/support/pages/qradar-after-upgrading-750-up4-wincollect-7x-agents-can-experience-management-or-configuration-change-errors-ij45284. This issue doesn't affect event being forwarded to QRadar, but does affect agent communication between QRadar and WinCollect. When you go from 7.4.3 -> 7.5.0 UP6, you will be affected by this issue for any managed agents and you'll need to update those that are still connected to QRadar. So, this is personal preference, but I'd probably disconnect those agents in advance that you plan to put in stand-alone mode first, ensure everything is working, upgrade QRadar to 7.5.0 UP6, then install updated agents for those systems you still want managed as you'll need to update some WinCollect installs to 7.3.1.28 to re-establish communication.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------
Original Message:
Sent: Sat August 05, 2023 10:20 PM
From: Abdul Quadeer
Subject: Convert Managed Wincollects to Standalone
Hi,
Currently, we have over 1000 windows machines integrated with AIO in managed mod, as per IBM, we should not integrate more than 500 wincollect in managed mod. I need to convert remaining wincollects to standalone mode now, so how to do it.
Found an article :
IBM Security QRadar - IBM Security Community
But my doubts are :
1 - Do i need to reinstall wincollects?
2 - What to do with wincollect entries at QRadar end once i convert them to standalone.
3 - Also, i am planning to upgrade QRadar from 7.4.3 FP1 to 7.5.6 FP6, so do i need to convert wincollects first or go for an upgrade?
------------------------------
Abdul Quadeer
------------------------------