IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Wincollect agent migration to a different console

    Posted Thu March 09, 2023 09:03 AM

    Hello,

    in the next months we are going to deploy QRadar on a customer which already has a Qradar solution (owned by an external SOC).

    Currently he has a few dozen Windows servers on which he has installed Wincollect (managed) to collect logs; is there a way we can "migrate" these agents from the current configuration console to our console without needing to reinstall them from scratch on each server?

    I found this guide:

    WinCollect: How to Change or Update the QRadar Appliance that Manages the Agent (updated)

    It refers to QRadar 7.2 or 7.3, we are now running 7.5.0.3..I found, for example, under current release some entries in Wincollect configuration files are different, so I would like to know if the tasks described in this link could apply also to our release.

    Being able to "move" Wincollect agents to our deployment would be great because we will minimize the "transistion" phase between the current solution and the ours, we already know that end customer won't be able to help us much in these tasks.

    B Regards



    ------------------------------
    Davide Salardi
    ------------------------------


  • 2.  RE: Wincollect agent migration to a different console

    Posted Mon March 13, 2023 01:00 PM
    Edited by James H Mon March 13, 2023 01:01 PM

    WinCollect agent versions are independent to QRadar versions.

    For example

    WinCollect 7

    This covers agents with version 7.3.1.22 and below. This will align with the SFS that's installed against your Console, this SFS will define which agents you are pushing out to Windows endpoints (eg WinCollect 7 / WinCollect 10)

    To switch WinCollect agents from one destination (eg oldconsole) to another (newconsole) you will need to alter %Program Files%\IBM\WinCollect\config\install_config.txt on each Window endpoint - as you have linked to.

    In 'managed' mode you will also need to take a look at the authentication token which will require you to alter on the Windows endpoint

    For this work, I would be looking at 

    1) Create a WinCollect Destination and authtoken on newconsole

    Using an central application management (SCCM for example) and for each Windows endpoint:

    2) Uninstall WinCollect on Windows endpoints 

    3) Reinstall via CLI using your newconsole details (with your clear text authtoken)

    4) Wait for autodiscover to generate your WinCollect DSM log source and Windows Event log source in your newconsole.

    From my last look, Wincollect agent 10 wasnt available in management mode and thus assume your on Agent version 7.3.1.22 / below.



    ------------------------------
    James H
    ------------------------------

    Original Message


Related Content