For invalid pem, I deleted the ConfigurationServer.PEM from
C:\ProgramFiles\IBM\WinCollect\config and restarted the services so that Qradar appliance can issue a new PEM file upon discovering that the file is missing. Although the PEM file has been reissued, wincollect agent has still not been discovered.
The result of less /var/log/qradar.log | grep invalid is attached below:
However, I have no idea what this means.
------------------------------
Talal Ansari
------------------------------
Original Message:
Sent: Mon March 16, 2020 03:36 PM
From: hostcontext restart
Subject: WinCollect Agent Not Discovered
check the event processor or console (whichever is configured to manage the agent) for 'invalid pen' with a less /var/log/qradar.log | grep invalid . it could be because there is now an agent with the same name as before.
Original Message------
Hi ,
I am facing an issue with WinCollect agent. Lets start with a little bit of background, I had installed WinCollect agent on a system and it was discovered by Wincollect on Qradar, however, I uninstalled WinCollect agent from the system for some reasons and then installed it again. This time wincollect in Qradar did not discover it. when I navigated to /store/configservices/wincollect/configserver/<servername> I found the folder for the host but it contained only 1 file that was <servername>.key, whereas, the other folders of the hosts that were discovered successfully contained three files AgentConfig.hash, AgentConfig.tar.gz and <servername>.key. The steps that I have already tried are as follows:
1) Stopped WinCollect services on windows host, changed the "ApplicationIdentifier", renamed ConfigurationServer.PEM to ConfigurationServer.PEM.old and then restarted wincollect service.
2) Changed the <servername>.key to <servername>.key.old and restarted WinCollect services on the windows host
3) Reinstalled WinCollect agent on the windows host.
Nothing has worked so far.
NOTE: My wincollect.sfs version matches the version of WinCollect agent installed on the windows.
Any help with regards to this will be a life saver. TIA
------------------------------
Talal Ansari
------------------------------