Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Installing the WinCollect Agent on a Windows Host

Install the WinCollect agent on each Windows host that you want to use for local or remote collection in your network environment.

Ensure that the following conditions are met:

  • You created an authentication token for the managed WinCollect agent.

    Note:

    This authentication token is required for every managed WinCollect agent you install.

    For more information, see Creating an Authentication Token for WinCollect Agents.

  • Your system meets the hardware and software requirements.

    For more information, see Hardware and Software Requirements for the WinCollect Host.

  • The required ports are available for WinCollect agents to communicate with JSA and remotely polled Windows computers.

    For more information, see Communication Between WinCollect Agents and JSA.

  • To automatically create a log source for a managed WinCollect agent, you must first create a destination that your agent can use to connect to JSA and create your log source.

    The managed WinCollect agent sends the Windows event logs to the configured destination. The destination can be the JSA Console, an Event Processor, or an Event Collector.

  1. Download the WinCollect Agent .exe file from https://support.juniper.net/support/downloads/.
  2. Right-click the WinCollect Agent .exe file and select Run as administrator.
  3. Follow the prompts in the installation wizard and use the following parameters for either managed or stand-alone agent setup.
    Table 1: WinCollect Managed Agent Setup Type Installation Wizard Parameters

    Parameter

    Description

    Host Identifier

    Use a unique identifier for each WinCollect agent that you install. The name that you type in this field is displayed in the WinCollect agent list of the JSA Console. If you are reinstalling an agent on a Windows host and you want to use the same Host Identifier for the agent, you must first rename the existing agent in JSA. Host identifiers are unique to each installation of the agent on the same Windows host.

    By default, the Host Identifier is the hostname of the Windows host.

    Authentication Token

    The authentication token that you created in JSA, for example, af111ff6-4f30-11eb-11fb-1fc117711111.

    Configuration Server (host and port)

    The IP address or host name of your JSA Console, Event Collector, or Event Processor. For example, 192.0.2.0 or myhost.

    Create Log Source

    If this check box is selected, you must provide information about the log source and the target destination.

    Log Source Name

    The name can be a maximum of 255 characters.

    Log Source Identifier

    Identifies the device that the WinCollect agent polls.

    This field must use the hostname, IP address, or FQDN of the Windows host that the log source gathers events from.

    Target Destination

    The WinCollect destination must be configured in JSA before you continue entering information in the installation wizard. This field must contain the name of a previously created WinCollect Destination as it appears in the Destinations window.

    Event Logs

    The Window logs that you want the log source to collect events from and send to JSA.

    Machine poll interval (msec)

    The polling interval that determines the number of milliseconds between queries to the Windows host.

    The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.

    Event Rate Tuning Profile

    Select the tuning profile:

    • Default (Endpoint): 100/150

      This setting is suitable for Windows endpoints that are running a non-Server OS.

    • Typical Server: 500/750

      This setting is suitable for most Windows Server endpoints.

    • High Event Rate Server: 1250/1875

      This setting is suitable for all Windows endpoints and is ideal for Domain Controllers and other potentially high EPS endpoints.

    Default Status Server Address

    An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any JSA Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages.

    Syslog Status Server (if different from default)

    An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any JSA Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages.
    Table 2: WinCollect Stand Alone Setup Type Installation Wizard Parameters

    Parameter

    Description

    Create Log Source

    If this check box is selected, you must provide information about the log source and the target destination.

    Log Source Name

    The name can be a maximum length of 255 characters.

    Log Source Identifier

    Identifies the device that the WinCollect agent polls. This field must use the hostname, IP address, or FQDN of the Windows host that the log source gathers events from.

    Event Logs

    The Window logs that you want the log source to collect events from and send to JSA.

    Destination Name

    Identifies where Wincollect events are sent.

    Hostname / IP

    The host name or IP address for the destination.

    Port

    The port that WinCollect uses when it communicates with the destination.

    Protocol

    TCP or UDP

    Machine poll interval (msec)

    The polling interval that determines the number of milliseconds between queries to the Windows host.

    The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.

    Event Rate Tuning Profile

    Select the tuning profile:

    • Default (Endpoint): 100/150

      This setting is suitable for Windows endpoints that are running a non-Server OS.

    • Typical Server: 500/750

      This setting is suitable for most Windows Server endpoints.

    • High Event Rate Server: 1250/1875

      This setting is suitable for all Windows endpoints and is ideal for Domain Controllers and other potentially high EPS endpoints.

    Default Status Server Address

    The IP address Destination where status messages from the WinCollect agent are sent.

    Syslog Status Server (if different from default)

    An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any JSA Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages.

    Heartbeat Interval (msecs)

    The frequency that heartbeat status messages are sent. In WinCollect 7.2.8, it is displayed in milliseconds. In WinCollect 7.2.9 and later, it is displayed in minutes.

    Log Monitor Socket Type

    Protocol to be used to send heartbeat and status messages.

    Note:

    This option is only available in stand-alone WinCollect deployments. Availability for managed agents is planned in a later release of JSA.

    The Command Line (will be saved in config\cmdLine.txt) field displays a command line from the configuration that you completed. You can use this command for silent, or unattended installations. For more information, see Installing a WinCollect Agent from the Command Prompt.

Related Documentation