IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
A new version of WinCollect is released 7.3.1-28, which is a unique build only for users on QRadar 7.5.0 UP4 or later. As the communication issue only affects QRadar 7.5.0 Update Pack 4 and later builds, the new version of WinCollect (7.3.1-28) is only intended for specific QRadar versions. The updated flash notice includes a compatibility chart.
Flash Notice: https://www.ibm.com/support/pages/node/6953887
WinCollect 7.3.1-28 (Patch 2) release notes: https://www.ibm.com/support/pages/node/6954751
Important: If you plan to upgrade to QRadar 7.5.0 Update Pack 4+ in the future, you must install WinCollect 7.3.1-28 if you have managed agents.
I'm posting a new issue here where after users upgrade to 7.5.0 UP4, WinCollect 7.x agents can experience management or configuration change errors. This issue does not impact data collect or services, but the protocol QRadar uses to communicate and manage remote agents.
Important: If you have managed WinCollect 7.x agents and are planning an upgrade to 7.5.0 Update Package 4, QRadar Support is recommending you wait on your upgrade until we can issue an SFS to resolve this issue. This error is documented as IJ45284.
If you experience this problem, the protocol generates session errors, which prevents new agents from being added or managed by the QRadar appliance. QRadar on Cloud admins are not affected as only stand-alone agents are used with QRadar on Cloud and this issue impacts managed agents.
We are working on a resolution to this problem, but if you have not upgraded to QRadar 7.5.0 Update Package 4 (22.214.171.12421129155237) and have managed WinCollect 7.x agents, be aware of this issue. Users have the option to disconnect their agents temporarily and use the WinCollect Configuration Console UI or update their agents through template files, but our goal is to make this issue visible so users can avoid these errors.
For more information, see the flash notice associated for this issue. I'll be making changes as more information becomes known, but users should start seeing flash notices from IBM My Notifications shortly.
As always, if there are questions you can ask in this thread, send me a private message, or contact QRadar Support directly by creating a case.
------------------------------Jonathan PechtaQRadar Support Content LeadSupport forums: firstname.lastname@example.org------------------------------
This issue is a flash notice for QRadar SIEM users. If you do not have IBM My Notifications configured to receive flash notice updates, you should confirm Flashes, Technical Notes, and APARs are configured. For more information, see https://www.ibm.com/support/pages/node/479617.