Global Security Forum

 View Only
  • 1.  Wincollect Standalone - Statistics.txt

    InnerCircle
    Posted Thu April 28, 2022 10:00 AM

    Hey all,
    Hoping this issue has been seen before.
    Have 2 hosts with standalone wincollect agent 7.2.8.91
    Wincollect heartbeats are coming in but windows events logs have stopped.
    Wincollect.log isn't reporting any errors 

    The statistics.txt doesn't look right and only contains zeros as opposed to values as per the sample below from another server

    Stat Collection from 06-30 12:34:15 to 07-01 04:36:06 :
    EvtLog.PD-HO-VP1.Application 60 Minutes: 0.08 0 0 0 0 0 0 0 0.03 0.07 0 0 0 0 0 0 0.02 0 0 0 0 0 0 0 0 0.03 0.08 0.03 0.07 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.02 0 0 0 0 0 0 0 0.10 0 0 0 0 0 0 0 0 ==>> 16 Hours: 0.01/1 0.01/4 0.01/1 0.0006/1 0.0036/1 0.01/4 0.01/4 0.02/1 0.01/1 0.0003/1 0.01/1 0.01/2 0.01/2 0.01/4 0.01/2 0.04/12
    EvtLog.PD-HO-VP1.Security 60 Minutes: 0 0 0 0 0 0 0 0 0.02 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.02 0 0.02 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.02 0 0 0 0 0.07 0.02 0 0 0 0 0 0 0 0 ==>> 16 Hours: 0.0025/1 0.0044/1 0.0044/1 0.0011/1 0.0017/1 0.0022/1 0.0025/1 0.0036/1 0.0022/1 0.0011/1 0.0028/1 0.0033/1 0.0025/1 0.0044/1 0.0017/1 0.02/9
    EvtLog.PD-HO-VP1.System 60 Minutes: 0.13 0.03 0 0 0 0 0 0 0.02 0.02 0 0 0 0.03 0 0 0 0 0 0 0 0 0 0 0 0.02 0.02 0.03 0 0.02 0 0.03 0 0 0 0 0 0 0 0 0 0 0 0.02 0 0.02 0 0 0 0 0.02 0.03 0 0 0 0 0 0 0 0.02 ==>> 16 Hours: 0.01/1 0.01/1 0.01/1 0.0036/1 0.0044/1 0.01/1 0.01/1 0.01/1 0.01/1 0.0033/1 0.01/1 0.01/1 0.01/1 0.01/1 0.0036/1 0.05/24
    trg._172_31_10_4 60 Minutes: 0.22 0.03 0 0 0 0 0 0 0.07 0.08 0 0 0 0.03 0 0 0.02 0 0 0 0 0 0 0 0 0.08 0.08 0.15 0 0.02 0 0.03 0 0 0 0 0 0 0 0 0 0 0 0.03 0 0.03 0 0 0 0 0.15 0.08 0 0 0 0 0 0 0 0.02 ==>> 16 Hours: 0.02/2 0.03/1 0.03/1 0.01/1 0.01/1 0.01/1 0.02/1 0.03/2 0.01/2 0.0047/1 0.02/1 0.02/1 0.02/1 0.02/1 0.02/1 0.12/28

    Any one seen this and was able to resolve?



    ------------------------------
    Gurv Bahad
    ------------------------------


  • 2.  RE: Wincollect Standalone - Statistics.txt

    Posted Fri April 29, 2022 05:32 AM
    Hi Gurv

    Better to have TCPDUMP on Qradar event collector to see if traffics coming into Event collector or not.

    # tcpdump -nnAs0 -c 2 -i <EC's interface name> host <Wincollect IP address> and port 8413 -vv
    # tcpdump -nnAs0 -c 2 -i <EC's interface name> host <Wincollect IP address> and port 514 -vv

    If traffics are coming, you may need to look at qradar log for parsing and etc. 


    ------------------------------
    Brian Kwak
    ------------------------------



  • 3.  RE: Wincollect Standalone - Statistics.txt

    InnerCircle
    Posted Fri April 29, 2022 06:44 AM

    Hey Brian,

    Thanks for your reply, checked for traffic initially, which was only agent heartbeats.
    Looked at the agent behaviour and could see the changes in what was being recorded the stats file so thought to post here.

    Had since discovered that those zero's represented EPS figures in the stats file which seemed to suggest the agent wasn't reading out anything from MSEvent logs.
    Not wanting to spend more time on it, a reinstall of the agent was performed and events were reinstated.

    Thanks Again



    ------------------------------
    Gurv Bahad
    ------------------------------



  • 4.  RE: Wincollect Standalone - Statistics.txt

    Posted Fri April 29, 2022 07:32 AM
    Hello Gurv,
    The zeros mean that in that specific interval of 1 minute, the agent didn't read in any new events. Those minutes roll up into the 1 hour intervals shown to the right on the same line (you're showing 16 intervals of 1 hour each).

    You need to look at your Wincollect.log to analyse why the agent isn't reading any events. My personal guess is, the agent is working, and since the EPS is fluctuating (not all zero), the number of new events is very low. To verify this, you need to log in on the Windows host and check in the Event Viewer.

    Your agent version is quite outdated, and not supported anymore, so I suggest upgrading it to a supported version.

    For help with the Statistics file, check this Technote: https://www.ibm.com/support/pages/node/6254762

    For help on how to get more granular information (Debug output) in your Wincollect.log, check this Technote: https://www.ibm.com/support/pages/node/6404330

    Hope this helps a bit!


    ------------------------------
    Carl Mohn
    IBM
    Dublin
    ------------------------------