IBM Security QRadar

Hello
We installed WinCollect on a Windows Server, created destination before the installation of Wincollect. But we don't see events from Wincollect in QRadar console, we have the following message:
WinCollect Agent mismatch. RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match
How to solve this issue?

Here is the information about QRadar and Wincollect:


1) /opt/qradar/support/WinCollectHealthCheck.sh -d

1 | AgentCore | AgentCore | Service | 4 | 7.2.5-27

2) rpm -qa | grep Collect
DSM-WinCollect-7.3-20160908133313.noarch

3) [root@qradar732 ~]# /opt/qradar/bin/myver -v
Product is 'QRadar'
Appliance is 'software'
Core version is '7.3.2.20190705120852'
Latest version is '7.3.2.20190705120852'
Branded version is ''
Branded latest version is ''
Release name is ''
Version installed with is '7.3.2.20190705120852'
Internal version is '7.3.2.4'
RPM version is '7.3.2.20190705120852'

4) WinCollect agent installed is at version 7.3.0.41 (installed on Windows Server 2012R2)



------------------------------
Igor Volkov
------------------------------

Hello Igor,

regarding to wincollect, there are several dependencies to consider. Not knowing exactly your "blue print" and deplyoment strategie of collecting windows events, maybe this article will support you with more details: https://www.ibm.com/community/qradar/home/wincollect/

in case of using QRadar Release 7.3.2 x you'll have to consider to select the matching version of wincollect running on the QRadar Console "730_Wincollect..".sfs file suitable to the agent "wincollect".exe running on a windows server.

In case of running QRadar Release 7.4.x you'll have to use wincollect 740_Wincollect for the console .sfs file Release and suitable .exe for windows server...
Just to keep in mind :)

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------

Original Message:
Sent: Fri April 23, 2021 10:31 AM
From: Igor Volkov
Subject: WinCollect traffic issue

Hello
We installed WinCollect on a Windows Server, created destination before the installation of Wincollect. But we don't see events from Wincollect in QRadar console, we have the following message:
WinCollect Agent mismatch. RetrieveConfigurationUpdate succeeded, but the configuration file fingerprints don't match
How to solve this issue?

Here is the information about QRadar and Wincollect:


1) /opt/qradar/support/WinCollectHealthCheck.sh -d

1 | AgentCore | AgentCore | Service | 4 | 7.2.5-27

2) rpm -qa | grep Collect
DSM-WinCollect-7.3-20160908133313.noarch

3) [root@qradar732 ~]# /opt/qradar/bin/myver -v
Product is 'QRadar'
Appliance is 'software'
Core version is '7.3.2.20190705120852'
Latest version is '7.3.2.20190705120852'
Branded version is ''
Branded latest version is ''
Release name is ''
Version installed with is '7.3.2.20190705120852'
Internal version is '7.3.2.4'
RPM version is '7.3.2.20190705120852'

4) WinCollect agent installed is at version 7.3.0.41 (installed on Windows Server 2012R2)



------------------------------
Igor Volkov
------------------------------