fbpx
preloader

NEW FEATURE: IBM - WinCollect 10 (Stand Alone) Released !

What's new in WinCollect 10

WinCollect 10 is a major new release for IBM® QRadar®. This release is available now for stand-alone deployments.

Significant performance improvements

  • Across many different use cases (high and low eps, high eps remote polling), approximately 70-100% improvement in CPU usage and 53-67% improvement in memory usage.
  • Increased EPS limitation from 5,000 to 10,000 for local collection.

Installation improvements

Quick Installation: using only the IP/Hostname of the QRadar host, you can have an Agent up and running in seconds, collecting standard Application, System, and Security events.
Installation with script:
  • No longer requires a paragraph cmd line to install an agent. The installer can now reference an installation script.
  • The installer uses the configuration in the script to add the sources you want as part of the installation. You are no longer limited to configuring the Windows event log collection as part of the installation.
  • You can configure any devices that are supported by WinCollect during the installation.
Lightweight installation
~4 MB installation versus 40 MB (installer + patch installer, if needed).

Automatic tuning

  • You no longer need to configure the polling interval or guess which tuning profile to use. The WinCollect agent now tunes itself by Source to poll more often when required and less often when the EPS is low.
  • Configure which sources you want to use, and let the agent handle the collection of events.

Updated Agent Configuration File

  • The Agent Configuration file which is used to control the WinCollect agents has been improved and updated to allow for easier modifications and changes to WinCollect deployment.

New "Source Wizard"

  • WinCollect 10 has a new "Source Wizard" which provides a guided experience for adding Wincollect sources. The workflow of this wizard was designed similarly to that of the QRadar Log Source Management App in order to streamline workflows.  More details can be found here: https://www.ibm.com/docs/en/qradar-common?topic=console-create-source-in-source-wizard

Web-based agent management

Web-based agent management is an optional component for all Agent installations and no longer requires a separate installation as it did with WinCollect 7. Agent management is no longer dependent on .NET3.5.
Tip: The agent management UI works on Internet Explorer, Firefox, or Chrome.
In addition to agent management, the UI contains the following features:
  • Main Dashboard
    • Top Sources - list of the top 10 sources by EPS
    • Errors - lists recent Agent errors, such as connections to QRadar or to a remote source.
    • Historical EPS by source graph
  • Add source wizard.
    • Wizard to add local or remote sources one at a time or in bulk.
The UI also contains the following support tools:
  • Log Viewer
    • Displays the WinCollect log in real time, so you can filter the log as needed.
  • Restart WinCollect service - The following options are available during restart to help troubleshoot an issue:
    • Delete Logs
    • Delete Patch/Staging folder
    • Delete Cached Events
    • Delete Bookmarks
    • Start in Debug Mode
  • Collect Support files.
    • Click one button to gather all the required log files to provide to L2/L3 IBM support.

Use of sources

WinCollect 10 changes the collection paradigm from the typical QRadar log source collection to source collection. For example, in QRadar, you specify to collect Windows event logs and select which channels you want to collect. In WinCollect 10, each channel you want to collect from is now referred to as a "source," which provides the agent more flexibility. For example, channels no longer need to be polled at the same time; you can now set polling intervals for each source. Sources also provide the ability to more easily apply updates by using update scripts.
Note: The other plug-ins (such as Microsoft SQL Server) are also referred to as sources.

Agent Configuration with update scripts

  • WinCollect 10 takes templates to the next level. In WinCollect 7, you could update agents by using templates to make wholesale changes to the configuration. Simple tweaks to an existing configuration were not possible. In WinCollect 10, you can make minor changes to the configuration, and add or subtract sources.
  • If you want to change the IP destination, you can create a simple update script that you can push out to all your agents.
  • The agent configuration is now much simpler and easier to read. Prior agent configurations that were 200+ lines are now reduced to 10 - 20 lines.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow...

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram