IBM QRadar

Hey community,

When WinCollect gets installed, the server throws up this error:

in the "WinCollect Warning" event name. Has anyone had this issue? We have the agent installed on other servers in our environment but none of them have had this issue. We've tried uninstalling, reinstalling with new Authentication Tokens (I renamed the old tokens), still shows the same errors.

Firewall is also showing that sessions are being CLOSED and not DENIED. So doesn't appear to be a firewall issue.

Current Qradar version: 7.3.2.

Wincollect Agent version: 7.2.9.72

thanks

If the agent still exsists follow these steps, if it is already deleted skip on down:

1.Search the agent in the Wincollect UI and rename the "hostname" field to something different, for example agent_old. Save changes.

2.Delete the agent.

3.Delete the agent's folder under /store/configservices/wincollect/configserver/<agentname>

4.Remove the ConfigurationServer.PEM file from the config folder in the agent and start the Wincollect service. which is in C:\Program Files\IBM\WinCollect\config.

If the agent was already deleted:

1.Connect to the QRadar console with root user via SSH

2.Run the following command to query the agent and confirm if it is deleted:

psql -U qradar -c "select id, hostname, deleted from ale_client where hostname like '%AGENTNAME%';"

** Replace AGENTNAME with the name of the agent, it is a case sensitive value.

3.With the results above confirm what entries have the original hostname and are deleted='t'

4.Run the following command to rename the agent:

psql -U qradar -c "update ale_client set hostname = hostname || '_DELETED' where deleted = 't' and id=<id>;"

**Replace the ID with the value taken from the query above.

5.Close the DB connection:

\q

6.Remove the ConfigurationServer.PEM file from the agent and start the Wincollect service.

which is in C:\Program Files\IBM\WinCollect\config.