QRadar XDR

  • 1.  WinCollect Agent Not Discovered

    Posted Mon March 16, 2020 03:08 PM
    Hi ,

    I am facing an issue with WinCollect agent. Lets start with a little bit of background, I had installed WinCollect agent on a system and it was discovered by Wincollect on Qradar, however, I uninstalled WinCollect agent from the system for some reasons and then installed it again. This time wincollect in Qradar did not discover it. when I navigated to  /store/configservices/wincollect/configserver/<servername> I found the folder for the host but it contained only 1 file that was <servername>.key, whereas, the other folders of the hosts that were discovered successfully contained three files AgentConfig.hash, AgentConfig.tar.gz and <servername>.key. The steps that I have already tried are as follows:

    1) Stopped WinCollect services on windows host, changed the "ApplicationIdentifier",  renamed ConfigurationServer.PEM to ConfigurationServer.PEM.old and then restarted wincollect service. 

    2)  Changed the <servername>.key to <servername>.key.old and restarted WinCollect services on the windows host

    3) Reinstalled WinCollect agent on the windows host.

    Nothing has worked so far.

    NOTE: My wincollect.sfs version matches the version of WinCollect agent installed on the windows.


    Any help with regards to this will be a life saver. TIA




    ------------------------------
    Talal Ansari
    ------------------------------


  • 2.  RE: WinCollect Agent Not Discovered

    Posted Mon March 16, 2020 03:37 PM
    check the event processor or console (whichever is configured to manage the agent) for 'invalid pen' with a less /var/log/qradar.log | grep invalid . it could be because there is now an agent with the same name as before.






  • 3.  RE: WinCollect Agent Not Discovered

    Posted Mon March 16, 2020 04:28 PM
    Edited by Talal Ansari Mon March 16, 2020 04:30 PM
    For invalid pem, I deleted the ConfigurationServer.PEM from C:\ProgramFiles\IBM\WinCollect\config and restarted the services so that Qradar appliance can issue a new PEM file upon discovering that the file is missing. Although the PEM file has been reissued, wincollect agent has still not been discovered.

    The result of less /var/log/qradar.log | grep invalid is attached below:
    This is the result I am getting after running the mentioned command, however, the meaning of this result is way over my head.

    However, I have no idea what this means.


    ------------------------------
    Talal Ansari
    ------------------------------



  • 4.  RE: WinCollect Agent Not Discovered

    Posted Mon July 19, 2021 08:43 AM

    Hi,
    Did you manage to fix this in the end? What was the fix? :)



    ------------------------------
    Qradar Kitty
    ------------------------------



  • 5.  RE: WinCollect Agent Not Discovered

    Posted Mon July 19, 2021 08:43 AM
    HI,

    Did you fix this in the end? What was the issue? :)

    ------------------------------
    Qradar Kitty
    ------------------------------



  • 6.  RE: WinCollect Agent Not Discovered

    Posted Sat July 24, 2021 06:30 AM
    Hello Talal,

    maybe this is a good starting point for troubleshooting: https://www.ibm.com/community/qradar/home/wincollect/
    There are some dependencies (ports) to check for a proper communication between agent and console - for example port 8413. This port is used for managing wincollect agents to request and receive code and configruation updates...
    Maybe this link will help as well: https://www.ibm.com/docs/en/qradar-common?topic=wincollect-communication-between-agents-qradar

    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    SIEM Expert
    pro4bizz GmbH
    Karlsruhe
    ------------------------------



  • 7.  RE: WinCollect Agent Not Discovered

    Posted Mon July 26, 2021 07:41 AM
    As a workaround, Try uninstalling the agent from the PC and install it again by appending the host identifier name by some character or number.

    Once the wincollect is installed with the same name it will not work unless it is installed with a diff identifier name.

     

    Regards,

    Maqsood Raza 

    ):+971-526410960