Installing a WinCollect Agent from the Command Prompt

For unattended installations, you can install the WinCollect agent from the command prompt. Use the silent installation option to deploy WinCollect agents simultaneously to multiple remote systems.

The WinCollect installer uses the following command options:

Table 1: Silent Installation Options for WinCollect Agents
Option	Valid entries and description
/qn	Runs the WinCollect agent installation in silent mode.
INSTALLDIR	The installation location for WinCollect. If the installation directory contains spaces, add a backslash before the quotation marks.
AUTHTOKEN=token	For managed WinCollect agents only. Uses the previously configured Authorization Token from JSA to authorize the managed agent. For example, `AUTH_TOKEN=af111ff6-4f30-11eb-11fb-1f c1 17711111`
FULLCONSOLEADDRESS=host_address	The IP address, host name, or FQDN of the JSA Console, Event processor, or Event Collector that manages the agent. Examples: `FULLCONSOLEADDRESS=192.0.2.0` `FULLCONSOLEADDRESS=EPqradar` `FULLCONSOLEADDRESS=EPqradar.myhost. com`
HOSTNAME=host name	The Hostname field is used to assign a name to the WinCollect agent. The values that are used in this field can be an identifiable name, hostname, or IP address. In most cases, administrators can use HOSTNAME=%COMPUTERNAME% to auto populate this field. The IP address or host name of the WinCollect agent host cannot contain the "at" sign, @.
STATUSSERVER	An alternative destination to send WinCollect status messages to, such as the heartbeat, if required. Set the value to an IP address to send status messages to any JSA Console or any Event Processor or Event Collector in your deployment. Set the value to Disabled to send only a heartbeat without status messages. Set the value to None if you don't want to send a heartbeat or status messages.
LOG_SOURCE_AUTO_CREATION_ENABLED	Required, `True` or `False` If you enable this option, you must configure the log source parameters. JSA must be updated to 2014.1.r1.734536 or later.
LOG_SOURCE_AUTO_CREATION_ PARAMETERS	Ensure that each parameter uses the format: `Parameter_Name=value`. The parameters are separated with ampersands, &. Your JSA must be updated to 2014.1.r1.734536 or later.
LOG_MONITOR_SOCKET_TYPE=TCP	This parameter sets the protocol that is used by heartbeat and status messages to be sent by using TCP. The default protocol is UDP. Note: This option is only available in stand-alone WinCollect deployments. Availability for managed agents is planned in a later release of JSA.
Component1.Action	`create` Creates a new windows event log source during the installation.
Component1.LogSourceIdentifier	The IP address or host name of the system where the agent is installed.
Component1.Destination.Name	The destination name is an alphanumeric value that is used to specify where a WinCollect log source sends event data. This value must be a JSA appliance capable of receiving event data, such as an Event Processor, Event Collector, or JSA Console. Note: In managed deployments, the destination must be an “internal destination”, and the name must exist in the JSA user interface before the installation, otherwise the log source configuration parameters are discarded and no log sources are automatically created. Internal Destination - Managed hosts with an event processor component External Destination - Destination that you configured as the WinCollect destination and is not known to the Console as a Managed Host
Component1.Dest.Hostname (Stand alone deployments only)	The IP address or host name where you send WinCollect events.
Component1.Dest.Port (Stand alone deployments only)	The port that WinCollect uses when it communicates with the destination.
Component1.Dest.Protocol (Stand alone deployments only)	`TCP` or `UDP`
Component1.Dest.MaxPayloadSize (Stand alone deployments only)	Maximum payload size sent to the destination (Default values are 1020 UDP and 32000 TCP).
Component1.Log.Security	Required, `True` or `False` The Windows Security log contains events that are defined in the audit policies for the object.
Component1.Log.System	Required, `True` or `False` The Windows System logs can contain information about device changes, device drivers, system changes, events, and operations provided by the operating system.
Component1.Log.Application	Required, `True` or `False` The Windows Application logs contain events that are triggered by software applications instead of the operating system. The logs can contain errors, information, and warning events.
Component1.Log.DNS+Server	Required, `True` or `False` The Windows DNS Server log contains DNS events.
Component1.Log.File+Replication+Service	Required, `True` or `False` The Windows File Replication Service log contains events about changed files that are replicated on the system.
Component1.Log.Directory+Service	Required, `True` or `False` The Windows Directory Service log contains events that are written by the active directory.
Component1.RemoteMachinePollInterval	The polling interval that determines the number of milliseconds between queries to the Windows host. The minimum polling interval is 300 milliseconds. The default is 3000 milliseconds or 3 seconds.
Component1.EventRateTuningProfile (Managed deployments only)	Select one of the following tuning profiles: Default+(Endpoint) Typical+Server High+Event+Rate+Server
Component1.MaxLogsToProcessPerPass (Stand alone deployments only)	Not required. The maximum number of logs (in binary form) that the algorithm attempts to acquire in one pass, if remaining retrievable events exist. Note: Use this parameter to improve performance for event collection, however, this parameter can also increase processor usage.
Component1.MinLogsToProcessPerPass (Stand alone deployments only)	Not required. The minimum number of logs (in binary form) that the algorithm attempts to read in one pass, if remaining retrievable events exist. Note: You can use this parameter to improve performance for event collection, but this parameter can also increase processor usage.
Component1.StoreEventPayload	Not required. Specifies that JSA event payloads are to be stored.
Component1.Secondary	Not required. Specifies the IP address or Hostname of the Secondary destination that the Agent sends events to if the Primary destination is unreachable and the failover time has elapsed.
Component1.Failover	Not required. Specifies the failover time in seconds. If the primary destination can't be reached, the Agent starts sending events to the Secondary destination.

Note:

You need to run the command prompt as an administrative user.

Download the WinCollect agent setup file from https://support.juniper.net/support/downloads/
On the Windows host, open a command prompt by using Run as Administrator.
Note:
In managed deployments, the destination name that is used during automatic log source creation must exist before the command-line installation runs. Verify the destination name in the JSA user interface before you start the installation.
Type the following command:
wincollect-<Version_number>.x64.exe /s /v" /qn INSTALLDIR=<”C:\IBM\WinCollect"> AUTHTOKEN=<token> FULLCONSOLEADDRESS=<host_address> HOSTNAME=<hostname> LOG_SOURCE_AUTO_CREATION=<true|false> LOG_SOURCE_AUTO_CREATION_PARAMETERS=<”parameters”””>

The following example shows a silent installation for a Stand alone WinCollect agent.

Note:
This example contains line breaks for formatting. The actual command is a single line.

wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED= True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= %COMPUTERNAME%-1&Component1.LogSourceIdentifier= <ip_address>&Component1.Dest.Name=QRadar&Component1 .Dest.Hostname=<ip_address>&Component1.Dest.Port= 514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1 .Log.System=true&Component1.Log.Application=true &Component1.Log.DNS+Server=false&Component1.Log.File+Replication+ Service=false&Component1.Log.Directory+Service=false&Component1. RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+ Event+Rate+Server&Component1.MinLogs ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875

The following example shows a silent installation for a managed WinCollect agent.

Note:
This example contains line breaks for formatting. The actual command is a single line.

wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" AUTHTOKEN=1111111-aaaa-1111-aaaa-11111111 FULLCONSOLEADDRESS=<ip_address:port> HOSTNAME=%COMPUTERNAME% LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS =""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create &Component1.LogSourceName=%COMPUTERNAME%&Component1.LogSourceIdentifier= %COMPUTERNAME%&Component1.Log.Security=true&Component1.Log.System=false &Component1.Log.Application=false&Component1.Log.DNS+Server=false &Component1.Log.File+Replication+Service=false&Component1.Log. Directory+Service=false&Component1.Destination.Name=Local& Component1.RemoteMachinePollInterval=3000&Component1.EventRate TuningProfile=High+Event+Rate+Server"""
Press Enter.

Installing a WinCollect Agent from the Command Prompt

Related Documentation