IBM Security QRadar

Is there a way to delete multiple wincollect agents using rest api?

------------------------------
Gal Bodiroza
------------------------------

@Gal Bodiroza Just to clarify your question. 

If these are managed agents on WinCollect 7.x, there is no API. You can remove them from the UI on the Admin tab from the Agent List or you can get support assistance to remove them from the ale_client table in the database. It is not recommended that you clean up the database yourself.

Managed WinCollect agents interact through a protocol that is on each QRadar Managed Host that receives events. When agents talk to the QRadar appliance on port 8413, the agent is recorded and the managed host passes the information to the Console and updates the ale_client table. As log sources are assigned to the agent, the Console creates a configuration bundle for each agent that has the changes. When each agent hits its "Configuration Polling" interval, they call in to the managed host and if there are changes pending, the Console sends the changes to the remote agent, which is typically a zip of xml files. This in a nutshell is how managed agents work and receive updates. 

The easiest way to remove agents is to delete them from the UI. However, if you have more than 20 or 30, you might just open a support case to get them to do a remove and confirm those agent are removed correctly. 

Hope this helps. If you have follow-up questions, let us know but your best option if you have a lot of agents is to open a case. 

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------