Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Installing a WinCollect Agent from the Command Prompt

 

For unattended installations, you can install the WinCollect agent from the command prompt. Use the silent installation option to deploy WinCollect agents simultaneously to multiple remote systems.

The WinCollect installer uses the following command options:

Table 1: Silent Installation Options for WinCollect Agents

Option

Valid entries and description

/qn

Runs the WinCollect agent installation in silent mode.

INSTALLDIR

The installation location for WinCollect.

If the installation directory contains spaces, add a backslash before the quotation marks.

AUTHTOKEN=token

For managed WinCollect agents only. Uses the previously configured Authorization Token from JSA to authorize the managed agent. For example, AUTH_TOKEN=af111ff6-4f30-11eb-11fb-1f c1 17711111

FULLCONSOLEADDRESS=host_address

The IP address, host name, or FQDN of the JSA Console, Event Processor, or Event Collector that manages the agent.

Examples:

  • FULLCONSOLEADDRESS=192.0.2.0

  • FULLCONSOLEADDRESS=EPqradar

  • FULLCONSOLEADDRESS=EPqradar.myhost. com

HOSTNAME=host name

The Hostname field is used to assign a name to the WinCollect agent. The values that are used in this field can be an identifiable name, hostname, or IP address. In most cases, administrators can use HOSTNAME=%COMPUTERNAME% to auto populate this field.

The IP address or host name of the WinCollect agent host cannot contain the "at" sign, @.

STATUSSERVER

An alternative destination to send WinCollect status messages to, such as the heartbeat, if required.

LOG_SOURCE_AUTO_CREATION_ENABLED

Required, True or False

If you enable this option, you must configure the log source parameters.

JSA must be updated to 2014.1.r1.734536 or later.

LOG_SOURCE_AUTO_CREATION_ PARAMETERS

Ensure that each parameter uses the format: Parameter_Name=value.

The parameters are separated with ampersands, &.

Your JSA must be updated to 2014.1.r1.734536 or later.

LOG_MONITOR_SOCKET_TYPE=TCP

This sets the protocol that is used by heartbeat and status messages to be sent using TCP. The default protocol is UDP.

Note: This option is only available in stand-alone WinCollect deployments. Availability for managed agents is planned in a later release of JSA.

Component1.Action

create

Creates a new windows event log source during the installation.

Component1.LogSourceIdentifier

The IP address or host name of the system where the agent is installed.

Component1.Destination.Name

The destination name is an alphanumeric value that is used to specify where a WinCollect log source sends event data. This value must be a JSA appliance capable of receiving event data, such as an Event Processor, Event Collector, or JSA Console.

Note: In managed deployments, the destination must be an “internal destination”, and the name must exist in the JSA user interface before the installation, otherwise the log source configuration parameters are discarded and no log sources are automatically created.

Internal Destination - Managed hosts with an event processor component

External Destination - Destination that you configured as the WinCollect destination and is not known to the Console as a Managed Host

Component1.Dest.Hostname

(Stand alone deployments only)

The IP address or host name where you send WinCollect events.

Component1.Dest.Port

(Stand alone deployments only)

The port that WinCollect uses when it communicates with the destination.

Component1.Dest.Protocol

(Stand alone deployments only)

TCP or UDP

Component1.Dest.MaxPayloadSize

(Stand alone deployments only)

Maximum payload size sent to the destination (Default values are 1020 UDP and 32000 TCP).

Component1.Log.Security

Required, True or False

The Windows Security log contains events that are defined in the audit policies for the object.

Component1.Log.System

Required, True or False

The Windows System logs can contain information about device changes, device drivers, system changes, events, and operations provided by the operating system.

Component1.Log.Application

Required, True or False

The Windows Application logs contain events that are triggered by software applications instead of the operating system. The logs can contain errors, information, and warning events.

Component1.Log.DNS+Server

Required, True or False

The Windows DNS Server log contains DNS events.

Component1.Log.File+Replication+Service

Required, True or False

The Windows File Replication Service log contains events about changed files that are replicated on the system.

Component1.Log.Directory+Service

Required, True or False

The Windows Directory Service log contains events that are written by the active directory.

Component1.RemoteMachinePollInterval

The polling interval that determines the number of milliseconds between queries to the Windows host.

The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.

Component1.EventRateTuningProfile

(Managed deployments only)

Select one of the following tuning profiles:

  • Default+(Endpoint)

  • Typical+Server

  • High+Event+Rate+Server

Component1.MaxLogsToProcessPerPass

(Stand alone deployments only)

Not required.

The maximum number of logs (in binary form) that the algorithm attempts to acquire in one pass, if remaining retrievable events exist.

Note: Use this parameter to improve performance for event collection, however, this parameter can also increase processor usage.

Component1.MinLogsToProcessPerPass

(Stand alone deployments only)

Not required.

The minimum number of logs (in binary form) that the algorithm attempts to read in one pass, if remaining retrievable events exist.

Note: You can use this parameter to improve performance for event collection, but this parameter can also increase processor usage.

Component1.StoreEventPayload

Not required.

Specifies that JSA event payloads are to be stored.

  1. Download the WinCollect agent setup file from https://support.juniper.net/support/downloads/
  2. On the Windows host, open a command prompt by using Run as Administrator.Note

    In managed deployments, the destination name that is used during automatic log source creation must exist before the command-line installation runs. Verify the destination name in the JSA user interface before you start the installation.

  3. Type the following command:

    wincollect-<Version_number>.x64.exe /s /v" /qn INSTALLDIR=<”C:\IBM\WinCollect"> AUTHTOKEN=<token> FULLCONSOLEADDRESS=<host_address> HOSTNAME=<hostname> LOG_SOURCE_AUTO_CREATION=<true|false> LOG_SOURCE_AUTO_CREATION_PARAMETERS=<”parameters”””>

    The following example shows a silent installation for a Stand alone WinCollect agent.

    Note

    This example contains line breaks for formatting. The actual command is a single line.

    wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED= True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= %COMPUTERNAME%-1&Component1.LogSourceIdentifier= <ip_address>&Component1.Dest.Name=QRadar&Component1 .Dest.Hostname=<ip_address>&Component1.Dest.Port= 514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1 .Log.System=true&Component1.Log.Application=true &Component1.Log.DNS+Server=false&Component1.Log.File+Replication+ Service=false&Component1.Log.Directory+Service=false&Component1. RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+ Event+Rate+Server&Component1.MinLogs ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875

    The following example shows a silent installation for a managed WinCollect agent.

    Note

    This example contains line breaks for formatting. The actual command is a single line.

    wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" AUTHTOKEN=1111111-aaaa-1111-aaaa-11111111 FULLCONSOLEADDRESS=<ip_address:port> HOSTNAME=%COMPUTERNAME% LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS =""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create &Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier= %COMPUTERNAME%&Component1.Log.Security=true&Component1.Log.System=false &Component1.Log.Application=false&Component1.Log.DNS+Server=false &Component1.Log.File+Replication+Service=false&Component1.Log. Directory+Service=false&Component1.Destination.Name=Local& Component1.RemoteMachinePollInterval=3000&Component1.EventRate TuningProfile=High+Event+Rate+Server"""

  4. Press Enter.