Changing configuration with Templates in a Stand-alone Deployment
Supported Version: WinCollect 7.2.8 + stand-alone only. With
templating, you can change the Agent configuration without making
manual or scripted edits to the AgentConfig.xml file.
When you copy a template to the WinCollect patch directory,
the Agent replaces the existing configuration with the contents of
the template. Before the Agent applies the changes from the template,
it makes a backup of the current configuration in the patchcheckpoint directory. After the changes are applied,
the Agent restarts and uses the new configuration.
Four sample templates are installed with WinCollect 7.2.8 and later. They are stored in the \JSA\WinCollect\templates directory.
tmplt_AgentCore.xmltmplt_DestinationManager.xmltmplt_DeviceWindowsLog.xmltmplt_PayloadRouter.xml
These templates are examples only. All Agent configuration service modules are supported, so that you can create your own templates.
The following use cases are examples of how you can use templates to change Agent configurations.
Use Case 1: Change Heartbeat Interval
You want to change the heartbeat interval from 5 minutes to 1 hour on all deployed systems. Previously, this required manual or scripted changes to the agentconfig.xml file and a WinCollect service restart. With templates, you can change this interval by performing the following steps.
Locate the
tmplt_AgentCore.xmltemplate in the \IBM\WinCollect\templates directory. This service contains the Heartbeat Interval configuration.Make a copy of the template and name it
service_AgentCore.xml.Change the value of the
HeartbeatIntervalparameter to 3,600,000 milliseconds (1 hour).<Service classification="Static" type="Service" version="7.2.8" module="AgentCore" name="AgentCore”> <Environment> <Parameter name="HeartbeatInterval" value="3600000"/> <Parameter name="ConfigurationCheckInterval" value="300000"/> <Parameter name="Enabled" value="true"/> <Parameter name="Deleted" value="false"/> <Environment> </Service>
Move the
service_AgentCore.xmlfile to the \IBM\WinCollect\patch directory. After a few seconds, the file disappears and the agent restarts. The oldagentconfig.xmlfile is moved to the backup directory (patch_checkpoint_xxxx).
Use Case 2: Modify Event Data Storage Configuration
You want to change the location and capacity of the event data that is stored in the \programdata\WinCollect file. You want to store the event data in C:\WinCollect\Data and change the capacity to 20 GB. There is no default template for this change, but you can easily create one by using information in the agentconfig.xml file. The following sample shows the existing service:
<Service classification="Static" type="Service" version="7.2.8" module="WinCollectCommon" name="DiskManager"> <Environment> <Parameter name="BasePath" value="%ALLUSERSPROFILE%\WinCollect\Data"/> <Parameter name="Capacity" value="6144"/> <Environment> </Service>
%ALLUSERSPROFILE% is an environment
variable. The default value is C:\ProgramData. You want to change
this value to C:\WinCollect\Data.
Create an XML file named service_DiskManager.xml with the following contents:
<Service classification="Static" type="Service" version="7.2.8" module="WinCollectCommon" name="DiskManager"> <Environment> <Parameter name="BasePath" value="c:\ibm\WinCollect\Data”//> <Parameter name="Capacity" value="20480"/> <Environment> </Service>
Move the file to the \IBM\WinCollect\patch directory.
After a few seconds, the file disappears and the agent restarts. Data is now written to the new directory.
Use Case 3: Send TCP instead of UDP
You want to send Syslog data to JSA over TCP rather than UDP. You must specify this option in the Destination Manager.
Locate the
tmplt_DestinationManager.xmltemplate in the \IBM\WinCollect\templates directory.Make a copy of the template and name it
service_DestinationManager.xml.In
<Module order=”4"> service_name=""UDPSendStage">, change theservice_nameparameter to TCPSendStage.<Service version="7.2.8" classification="Service" type="Service" module="WinCollectPlugin" name="DestinationManager"> <Environment> <InstanceData> Instance name=”Qradar”> <Environment> <Module order="1" service_name="StoreAndForwardStage"> <Environment> <Parameter name="DataChunkPeriod" value="10"/> <Parameter name="DataProcessingPeriod" value="500000"/> <Parameter name="QueueLowWaterMark" value="750000"/> <Parameter name="QueueHighWaterMark" value="1000000"/> <Parameter name="Schedule.Enable" value="true"/> <Parameter name="Schedule.Invert" value="false"/> <Parameter name="Socket.KeepAlive.Enabled" value="true"/> <Parameter name="Socket.KeepAlive.Time" value="30000"/> <Parameter name="Socket.KeepAlive.Interval" value="4000"/> </Environment> </Module> <Module order="2" service_name="SimpleEventThrottle”> <Environment> <Module order="2" service_name="SimpleEventThrottle"> <Environment> <Parameter name="EventThrottleInEPS" value="5000"/> </Environment> </Module> <Module order="4" service_name="TCPSendStage”> <Environment> <Parameter name="TargetAddress" value="172.18.X.X"/> <Parameter name="TargetPort" value="514"/> <Environment> </Module> <Instance> <InstanceData> </Service>
Move the file to the \IBM\WinCollect\patch directory. After a few seconds, the file disappears and the agent restarts. The old
agentconfig.xmlfile is moved to the backup directory (patch_checkpoint_xxxx).
Use Case 4: Add NSA Filtering to an Existing Log Source
You want to add NSA filtering to an existing log source. You
can change this attribute by using the tmplt_DeviceWindowsLog.xml template.
Locate the
tmplt_DeviceWindowsLog.xmltemplateMake a copy of the template and name it
service_DeviceWindowsLog.xml.Open
AgentConfig.xmland locate the log source contained in the moduleDeviceWindowsLog.Copy the model and instance information and replace the contents in
service_DeviceWindowsLog.xmlwith it.Modify the following lines with the bolded sample code:
<Parameter name="Filter.System.Type" value="NSAlist"/> <Parameter name="Filter.System.Param"> "1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/> <Parameter name="Filter.System.Enabled" value="true"/>
Save the
service_DeviceWindowsLog.xmlfile and move it to the file to the \IBM\WinCollect\patch directory. After a few seconds, the file disappears and the agent restarts. The old agentconfig.xml file is moved to the backup directory(patch_checkpoint_xxxx).