IBM QRadar

Hi All,

I would like to check if my standalone Wincollect agent is still able to send logs even though is running a older version, like lets say Console is 7.3 and agent is 7.2.

Thanks,

Nestaz

Sorry agent version is 7.2.9.

Hi Nestaz

Wincollect agent (standalone) version 7.2.9 can send the log to Console 7.3 in most case of device and protocol (like syslog, log file).

Thanks.

BK.

Yes, Standalone agents at a different version than the QRadar appliance can still successfully sent events. In support, we typically advise that administrators upgrade their standalone agents to match their QRadar version, but the Standalone agents are in essence a Syslog forwarder and the events should parse fine. We also allow administrators to block certain managed agents from being updated as well. There is a user interface feature for managed WinCollect called, "Enable Automatic Updates". If the value is FALSE, the agent will remain at the current version and not be updated automatically, even when managed and those events will parse and categorize just fine on the QRadar appliance, even with a version mismatch.

I will note that there is a new version of WinCollect pending for 7.3.1. You can take a look at WinCollect 101 before you plan your next upgrade. As the next version of WinCollect will include some important updates, like being able to reregister agents and fixes some important issues. I just wanted to note that when you get ready to upgrade those Standalone agents, you are going to want to get on the latest, but more for fixes and features than anything related to parsing.

WinCollect 101: https://www.ibm.com/community/qradar/home/wincollect/