1. Uninstall WinCollect on the remote window machine (through the windows programs control panel).
2. Download and install 184.108.40.206.20160519230548.sfs
(or higher patch) on the SIEM console
This patch will install all the wincollect patches/RAfter the installation, the cfollowing command can be performed to verify the RPMs:
rpm -qa |grep -i wincollect
3. Once the patch was installed/completed on the console, launch the web Dashboard and navigate to the Admin --> Authorized Services
4. Add in an entry for Wincollect and then note the 'Selected Token
5. Download and install AGENT_i386_WinCollect-220.127.116.118508-setup.zip for a 32-bit system or Wincollect Agent EXE [x64] 18.104.22.1688564 for a 64-bit system.
6. Unzip the installation bundle and run the setup.exe file within.
7. Fill in the Host Identifer field (hostname of remote wincollect machine), the Authnetication Token (from step #4 above) and the Configuration Console (IP of the Siem console)
8. In the next window, check the 'Enable Automatic Log Source Creation' option, and fill in the Log Source Name and Log Source Identifier variables.
This will determine the Log Source name created on the Siem. The most common values are the hostname of the windows machine:
Click Next and complete the installation.
9. Started the Wincollect service on windows machine. It should now create a Log source on the Siem (you can verify in the Log Sources window in the Admin tab).
10. If the Log source is not created and Wincollect does not connect to the server, continue with the following steps.
11. Log in to the Dashboard
12. Click the Admin tab.
13. Click the Authorized Services icon.
14. Note the token for Wincollect (and ensure none of the tokens have expired). For example, on my machine:
15. Log in to the Windows host that has the bad token.
16. Navigate to the WinCollect installation directory. (C:\Program Files\IBM\WinCollect\config\
17. Open the file install_config.txt
18. Readd the token from the console in the 'ApplicationToken=' field. Using the token in my example from step #14 above:
19. Save the file.
20. Click Start > Run, type services.msc and click OK.
21. Locate the WinCollect service and restart it.