For got to add a link to the upgrade docs for WinCollect 7 -> 10, but it is basically install the latest version: Upgrading a WinCollect 7 agent to WinCollect 10
You will need to decide how to manage log source changes for disconnected (stand-alone) agents. With WinCollect 10 you can use XML configuration scripts to make minor changes or the UI for WinCollect 10 on the Windows host. If you use configuration scripts, you can copy the xml to the {wincollect install path}/patch directory. The Agent will notice the new XML configuration file, restart the agent to load the change. You can use this method to make mass changes easier when you need to add, delete, or update values.
Original Message:
Sent: Fri September 29, 2023 09:42 AM
From: Jonathan Pechta
Subject: Wincollect
There should not be any changes required on your end, if you are not having any error messages related to "falling behind". I'm not sure if you are sending TCP, UDP, or TLS for your events, but there should not be an issue in the number of connections. You just want to confirm that the hardware you are using will be the same. Here are the estimated performance numbers for WinCollect agents (CPU/Memory): https://www.ibm.com/docs/en/qradar-common?topic=10-hardware-software-requirements-wincollect-host
With WinCollect 10, the collection limits are as follows:
- Windows Event Forwarding to WinCollect 10: Up to 10,000 EPS.
- Remote polling or local collection with WinCollect 10: Up to 5,000 EPS.
- As you are just forwarding events the should not be an impact on the QRadar side other than the license capacity. If you don't change the destinations in the agent configuration and were not having issues before, then you should not have an issue when you clone the host.
- When you upgrade from WinCollect 7 to 10, the installer will convert your XML file and keep all of the existing configuration (other than being able to be remotely managed). Remote management of log sources is not currently supported in WinCollect 10.
If you have a large number of agents pointing to a single QRadar appliance, you might need to tune the System Settings in QRadar to increase the maximum number of TCP connections or the number of max connections per host. This normally does not need to be tuned and only an issu, but the system will log error messages, if ecs-ec-ingress, which takes the events off of the wire and putting them in the event pipeline will write errors in the logs when it cannot accept more connections. Note: This is a NOT a common issue for most users though: QRadar: ECS-EC-Ingress refuses connections due to TCP Syslog.
If you have follow-up questions, feel free to ask.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
Original Message:
Sent: Thu September 28, 2023 10:28 AM
From: Benjamin Yabre
Subject: Wincollect
Hi Jonathan,
I am using Wincollect 7,could I know many agent pointing at a single QRadar box can be supported ?
do we have any issue if using wincollect v10 as stand alone too ?
Thanks
------------------------------
Benjamin Yabre
Original Message:
Sent: Thu September 28, 2023 09:44 AM
From: Jonathan Pechta
Subject: Wincollect
What version of WinCollect are you currently using?
If you are using managed WinCollect 7, you are going to be best served here to use Stand-alone agents as any of your managed agents that are cloned will generate errors as the PEM file for the agent won't be valid anymore. With Stand-alone agents, you do not have to worry about the configuration and certificates between QRadar and the agents to manage them.
We see these types of issues where users clone or even move virtual environments, like vCenter to Hypervisor, the PEM files need to be updated as they are invalid. In these cases, we always recommend Stand-alone agents as they are more portal and require less intervention.
As far as moving or cloning the configuration, you want to watch out for things like pointing too many agents at a single QRadar box. There are limitations as to how many agents
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
Original Message:
Sent: Mon September 25, 2023 09:35 AM
From: Benjamin Yabre
Subject: Wincollect
Hi ,
I have a project that need to clone a computer on which wincollect is installed.
my concern is what is going to happen for the collection since it's the same wincollect with the same parameters on the other computers ?
cordially,
------------------------------
Benjamin Yabre
------------------------------