WinCollect Log File
The WinCollect log file provides information about your deployment. Logs provide valuable information for troubleshooting issues.
WinCollect Log Overview
WinCollect generates log event extended format (LEEF) messages during installation and configuration and writes them to a single log file. The server in the Status Server field receives the LEEF messages through the syslog. These messages report on the status of the WinCollect service, authorization token, configuration, and more.
The following example displays a LEEF message that alerts administrators that the WinCollect agent is generating more events than the log source is tuned for.
<13>Sep 22 09:07:56 IPADDRESS LEEF:1.0|IBM|WinCollect|7.2|3|src=MyHost.example.com dst=10.10.10.10 sev=4 log=Device.WindowsLog.EventLog.MyHost.example.com.System.Read msg=Reopening event log due to falling too far behind (approx 165 logs skipped). Incoming EPS r.avg/max = 150.50/200.00. Approx EPS possible with current tuning = 40.00
You search for syslog messages by using the IP address of the WinCollect agent. JSA tracks information from the audit log to determine when log sources are created, when searches are run, and so on.
WinCollect Log Types
WinCollect Log Types
The default log directory is
C:\Program Files\IBM\WinCollect\logs\. The log file is named
Each log entry is tagged with an identifier that indicates the entry type:
The following table describes the types of log entries in the WinCollect log file.
Table 1: WinCollect Log Types
Indicates system information, such as the operating system that the agent is installed on, RAM and CPU information from the operating system, service start-up information, and WinCollect version information.
Indicates information about for spillover and cache messages, file reader messages, authorization token messages, IP address or host name information for the local host, issues with destinations, log source auto-creation, stand-alone mode messages, and thread or process start-up and shutdown messages. Use these entries to investigate the WinCollect configuration. This log does not provide information about event collection.
Created when WinCollect collects events, the protocols that run event log collection. The following issues are logged as device entries::
Permission or Authentication
Windows error codes (hex value codes provided by the operating system, such as 0x000005 access denied)
File path or location
Event log is overdue to be polled
Event log transactions
RPC is unavailable (unable to find the location that you specified)
Reopening due to falling too far behind (tuning messages)
Disk Space Management for Log Files
WinCollect manages disk space for logs by generating a ".1" version when the log size exceeds 20 MB. After a ".5" version is created, WinCollect deletes the oldest version of the log.
WinCollect also manages disk space by archiving checkpoint folders. When JSA updates WinCollect with new code, the checkpoint folders store a backup of the replaced code. WinCollect archives the oldest patch checkpoint folder after 10 are created. WinCollect creates an archive folder that contains a list of files in the patch checkpoint folder, and a compressed file of the AgentConfig.xml file. WinCollect then deletes the patch checkpoint folder that it archived.
InfoX Debug Logs
InfoX debug logs make debugging WinCollect easier, without interfering with performance.
By default, InfoX is enabled and logs events for the first five minutes that the agent runs, for a maximum of 5,000 log entries. After that, InfoX logs events for one minute every 15 minutes, for a maximum of 200 log entries. InfoX generates debug logs even if your log level is set to info.
You can edit the InfoX configuration by adding any of these
parameters to the
Table 2: InfoX Configuration Options
Used to enable or disable InfoX.
The number of seconds to run the agent at startup. To disable this feature, set this value to 0.
The maximum number of events that can be logged at startup.
The number of seconds to wait for the next logging period.
The number of seconds to run the agent at each interval. To disable this feature, set this value to 0.
The maximum number of events that can be logged at each interval.