Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Installing and Upgrading the WinCollect Application on JSA Appliances

To manage a deployment of WinCollect agents from the JSA user interface, you must first upgrade your JSA Console to a supported version of WinCollect by using the WinCollect Agent SFS Bundle. This bundle includes the required protocols to enable communication between JSA and the managed WinCollect agents on the Windows hosts. Both the JSA Console and managed WinCollect agents can be upgraded to newer versions of WinCollect by installing the newer version of SFS Bundle on the JSA console.

Note:
  • For information about upgrading WinCollect versions v7.0 through v7.1.0, see https://support.juniper.net/support/downloads/.

  • If WinCollect 7.2.6 or later is installed on the JSA Console, and then you upgrade JSA from 2014.8 to 7.3.0 or later, the version of WinCollect on JSA reverts to 7.2.5. The managed WinCollect agents that are running on your Windows hosts remain at their current version and continue to send events to JSA using their existing configuration information. However, they no longer receive code or configuration updates. You must reinstall a version of the WinCollect Agent SFS Bundle that is the same as or newer than your current agents' version on your JSA Console after the JSA upgrade.

After you upgrade a JSA Console, the managed WinCollect agents that are enabled to receive automatic updates automatically upgrade to the new version of WinCollect at the next configuration polling interval. If new WinCollect agent files are available for download, the agent downloads, installs updates, and restarts required services. No events are lost when you update your WinCollect agent because events are buffered to disk. Event collection forwarding continues when the WinCollect service on the Windows host restarts.

Note:

If you reinstall JSA on your Console, you must delete this file on any existing WinCollect agent installations before WinCollect can function properly: Program Files/IBM/WinCollect/ config/ConfigurationServer.PEM

  1. Download the WinCollect Agent SFS bundle installation file from https://support.juniper.net/support/downloads/.
    Note:

    The installation process restarts services on the Console, which creates a gap in event collection until services restart. Schedule the WinCollect upgrade during a maintenance window to avoid disrupting users.

  2. Use SSH to log in to the JSA Console as the root user.
  3. For initial installations, create the /storetmp and /media/updates directories if they do not exist. Type the following commands:

    mkdir /media/updates

    mkdir /storetmp

  4. Using a program such as WinSCP, copy the downloaded SFS file to /storetmp on your JSA console.
  5. To change to the /storetmp directory, type the following command:

    cd /storetmp

  6. To mount the SFS file, type the following command:

    mount -t squashfs -o loop Installer_file_name.sfs /media/updates

    Example:

    mount -t squashfs -o loop 730_QRadar_wincollectupdate-7.3.0-24.sfs /media/updates

  7. To run the WinCollect installer, type the following command and then follow the prompts: /media/ updates/installer
    Note:

    To proceed with the WinCollect Agent update you must restart services on JSA to apply protocol updates. The following message is displayed:

    WARNING: Services need to be shutdown in order to apply patches.

    This will cause an interruption to data collection and correlation.

    Do you wish to continue (Y/N)?

  8. Type Y to continue with the update.

    During the update, the SFS installs new protocol updates. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and run the installer again, the patch installation resumes. After the installation is complete, services are restarted, and the user interface is available.

    Note:

    During installation, the following message is displayed:

    Patch 144249

    This patch includes a new version of the WinCollect Configuration Server.

    For this new version to run properly, the event collection service needs to be restarted.

    If you choose to not restart the service, agents cannot get new configurations and code updates until you restart it.

    Choices:

    1. Restart event collection service at the end of the patch installation, on the Console and on all managed hosts patched from the Console.

    2. Do not restart event collection service yet. You will need to restart it in the user interface (Advanced > Restart Event Collection Services).

    3. Abort patch.

    After you choose an option, the patch installation continues. When it is complete, press the Enter key to exit the patch screen.

  9. If you selected the second option in step 8, you must perform the following steps:
    • In the JSA admin settings, click Advanced>Deploy Full Configuration.

    • In the JSA admin settings, click Advanced>Restart Event Collection Services.

  10. To unmount the SFS file from the Console, type the following command: umount /media/updates
  11. Verify that WinCollect agents are configured to accept remote updates:
    1. Log in to JSA.

    2. On the navigation menu, click Data Sources.

    3. Click the WinCollect icon.

    4. Review the Automatic Updates Enabled column and select Wincollect agents that have a False value.

    5. Click Enable/Disable Automatic Updates.

Managed WinCollect agents with automatic updates enabled are updated and restarted. The amount of time it takes a managed agent to update depends on the configuration polling interval for the WinCollect and the speed of the network connections between the Console and the agent.