Hello All,

Could anyone please helping me in this issue that I have installed Qradar v 7.3.3 patch 3 on a VM and I want to test the Wincollect and Wincollect File forwarder So, I installed the Wincollect agent v 7.3.0.41 into deferent windows servers and the Agent was running and Enabled but when I check the LogSources I found that it with NA Status and there is no events retrieved into the Qradar Console 

as a Troubleshooting i tried to check the Wincollect Event list from the Wincollect Tab into the Console I found this Error MSG in one of the Wincollect log sources as the Below So, kindly if anyone has saw this issue before or know ho to solve this issue kindly Inform me ASAP.
Kindly Be informed that these MSGs was for one Wincollect LogSources and the Other logsources doesn't have the Same Error but with the Same NA Status.

Thanks





The Wincollect Error MSG and Warning MSG as the Following 

sev=4	log=Code.StoreAndForwardIncoming._WINCOLLECT	msg=Event cache rejected new message block. Messages lost 799.

sev=5	log=Code.EventCache	msg=Unable to push 977 events to C:\ProgramData\WinCollect\Data\Events\_WINCOLLECT\2020-12-08-12-31\25_1180 -- DiskManager can't allocate 2548854 bytes

------------------------------
Moustafa Salah
------------------------------

Original Message:
Sent: 12/8/2020 7:38:00 AM
From: Moustafa Salah
Subject: Wincollect with NA Status

Hello All,

Could anyone please helping me in this issue that I have installed Qradar v 7.3.3 patch 3 on a VM and I want to test the Wincollect and Wincollect File forwarder So, I installed the Wincollect agent v 7.3.0.41 into deferent windows servers and the Agent was running and Enabled but when I check the LogSources I found that it with NA Status and there is no events retrieved into the Qradar Console 

as a Troubleshooting i tried to check the Wincollect Event list from the Wincollect Tab into the Console I found this Error MSG in one of the Wincollect log sources as the Below So, kindly if anyone has saw this issue before or know ho to solve this issue kindly Inform me ASAP.
Kindly Be informed that these MSGs was for one Wincollect LogSources and the Other logsources doesn't have the Same Error but with the Same NA Status.

Thanks





The Wincollect Error MSG and Warning MSG as the Following 

sev=4	log=Code.StoreAndForwardIncoming._WINCOLLECT	msg=Event cache rejected new message block. Messages lost 799.

sev=5	log=Code.EventCache	msg=Unable to push 977 events to C:\ProgramData\WinCollect\Data\Events\_WINCOLLECT\2020-12-08-12-31\25_1180 -- DiskManager can't allocate 2548854 bytes

------------------------------
Moustafa Salah
------------------------------

Hi,

i assume you've followed the prerequisits of installing the wincollect Agent on the selected Server. Check as well the recommendations for proper free disk Space.

Troubleshooting wincollect requires some dependencies to consider..

For further troubleshooting i recommend also wincollect 101 Pages. Another idea could be, to check or tune the amount of incomming events from the belonging logsource, in case of insuffizient disk space..

Regards,

Ralph

------------------------------
Ralph Belfiore
IT Security Senior Consulting
pro4bizz GmbH
Karlsruhe
+49 721 90981720
------------------------------

Original Message:
Sent: Tue December 08, 2020 07:38 AM
From: Moustafa Salah
Subject: Wincollect with NA Status

Hello All,

Could anyone please helping me in this issue that I have installed Qradar v 7.3.3 patch 3 on a VM and I want to test the Wincollect and Wincollect File forwarder So, I installed the Wincollect agent v 7.3.0.41 into deferent windows servers and the Agent was running and Enabled but when I check the LogSources I found that it with NA Status and there is no events retrieved into the Qradar Console 

as a Troubleshooting i tried to check the Wincollect Event list from the Wincollect Tab into the Console I found this Error MSG in one of the Wincollect log sources as the Below So, kindly if anyone has saw this issue before or know ho to solve this issue kindly Inform me ASAP.
Kindly Be informed that these MSGs was for one Wincollect LogSources and the Other logsources doesn't have the Same Error but with the Same NA Status.

Thanks





The Wincollect Error MSG and Warning MSG as the Following 

sev=4	log=Code.StoreAndForwardIncoming._WINCOLLECT	msg=Event cache rejected new message block. Messages lost 799.

sev=5	log=Code.EventCache	msg=Unable to push 977 events to C:\ProgramData\WinCollect\Data\Events\_WINCOLLECT\2020-12-08-12-31\25_1180 -- DiskManager can't allocate 2548854 bytes

------------------------------
Moustafa Salah
------------------------------