¶ Troubleshooting WinCollect Agents
¶ Background
From time to time, we see certain Windows Assets appear to stop sending logs randomly. On closer inspection, it seems that the WinCollect Service has stopped and has failed to restart.
¶ Testing the connection
Open PowerShell and copy and run each line in PowerShell
Replace <QRadarHost> with the IP Address of your QRadar Host.
Test-NetConnection -ComputerName <QRadarHost> -Port 514 -InformationLevel "Detailed"
Test-NetConnection -ComputerName <QRadarHost> -Port 8413 -InformationLevel "Detailed"
A successful result looks like this
ComputerName : 192.168.221.178
RemoteAddress : 192.168.221.178
RemotePort : 514
NameResolutionResults : 192.168.221.178
MatchingIPsecRules :
NetworkIsolationContext : Internet
InterfaceAlias : 10.0.11.132
SourceAddress : 10.0.11.132
NetRoute (NextHop) : 10.0.101.1
TcpTestSucceeded : True
Note : < Configuration server IP> = Check install_config.txt file from C:\Program Files (x86)\IBM\WinCollect\config folder and use ConfigurationServer ip.
< StatusServerIP> = Check install_config.txt file from C:\Program Files (x86)\IBM\WinCollect\config folder and use StatusServer ip.
¶ Enabled the Debugging Mode
To enable debugging mode first stop the WinCollect service, Open PowerShell and copy and run each line in PowerShell
- What is the current status of the WinCollect service, run “Get-Service WinCollect”
- Stop the WinCollect service, run Stop-Service WinCollect
Get-Service WinCollect
Stop-Service WinCollect
Start-Service WinCollect
- Open the C:\Program Files (x86)\IBM\WinCollect\config\logconfig.xml and find the following lines of code.
Delete the comments on the sections below. Starting with<!--Ending with-->
<!-- sample for the destination manager
<category name="Code.DestinationManager" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
-->
<category name="Device" additivity="false">
<priority value ="InfoX" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
<!-- sample for the windows log and netapp plug ins
<category name="Device.WindowsLog" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
<category name="Device.NetApp" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
</category>
-->
The result should be like this
<category name="Code.DestinationManager" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
<category name="Device" additivity="false">
<priority value ="InfoX" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
<category name="Device.WindowsLog" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
<appender-ref ref="LogMonitor"/>
</category>
<category name="Device.NetApp" additivity="false">
<priority value ="DEBUG" />
<appender-ref ref="WinCollectLogs"/>
</category>
¶ Reviewing the Debugging restults
The result of enabling debugging mode can be found in
C:\Program Files (x86)\IBM\WinCollect\logs\WinCollect.log
The Debug log events have DEBUG
02-20 16:30:42.384 DEBUG Device.WindowsLog.W2K8.localhost.Security
Note the time of the last record “16:30”
To generate a record open an instance of PowerShell in Administrator mode, check the Events View that a record has been created and view the WinCollect.log
02-20 16:31:01.119 DEBUG Device.WindowsLog.W2K8.localhost.System : Collect called with no query handle; opening new query...
02-20 16:31:01.119 InfoX Device.WindowsLog.W2K8.localhost.System : Created new query 4: <QueryList><Query Id="4" Path="Security"><Select Path="System">* and *[System[TimeCreated[@SystemTime > '2023-02-21T00:26:46.324687957Z']]]</Select></Query></QueryList>
02-20 16:31:01.119 DEBUG Device.WindowsLog.W2K8.localhost.System : SetCanUseRawMsgs to true
If all is correct a new Query should have a record like the above with a query result like
<QueryList><Query Id="4" Path="Security"
¶ Schedule a Daily Restart of the WinCollect Service
For most environments, much of the issues with WinCollect can be eliminated by simply scheduling them to restart every day regardless of whether they are in good health or not.
Follow the guide below to set this scheduled restart on WinCollect.
¶ Create the Script
Open Notepad and copy the contents below into the file and save as wincollect-restart.bat
sc stop WinCollect
sc start WinCollect
Save this script file to the same Network Share that you originally stored the WinCollect and Sysmon files at Deployment time.
Note: The script must reside on a Network Share that is accessible to ALL assets you want to deploy to.
¶ Deploy The Script
While there are many ways to deploy on-mass across a network, this article will detail only the Group Policy method commonly used in Active Directory deployments.
Note: For instructions using any 3rd Party software deployment technologies, please contact us for further guidance.
¶ Creating Group Policy
Now that the Network Share and Batch File are completed, it is time to create the Group Policy.
Note: The Policy will be used to target settings in “Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)
- Using a domain administrator account, you will need to log into a Domain Controller and navigate to Group Policy Management.
- Create the Policy by right-clicking on Group Policy Objects and selecting New. Name the New Policy WinCollect
- Right click on the new GPO created and select Edit.
- Group Policy Management Editor will open allowing us to edit the GPO WinCollect. Go to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks. On the right panel, right-click and select New for New Scheduled Task.
- Action should be set to Create. Give the New Task a Name like WinCollect-Restart. For Run, browse to the Script from earlier. For Run As, select appropriate credentials.
-
Set your timing on the Schedule tab and click Apply and OK.
-
Finally, Link your Policy to the correct OU and Apply a GPO Update.
The Scheduled Task should now be set for all assets in the OU.
¶ Reference list
WinCollect: The configuration server registration failed with response code 0x80000007