Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Setting an XPath Parameter During Automated Installation

In WinCollect 7.2.8 and later, you can add an XPath parameter to your command line installer for stand-alone WinCollect agent installations.

  1. Convert your XPath to base64 encoding using https://www.base64encode.org/ or another encoding tool. For example, this XPath, needed to collect Windows PowerShell logs:

    <QueryList>

    <Query Id="0" Path="Windows PowerShell*>

    <Select Path="Windows PowerShell">*</Select>

    <Query>

    <QueryList>

    results in this base64 conversion:

    PFF1ZXJ5TGlzdD4KPFF1ZXJ5IElkPSIwIiBQYXRoP SJXaW5kb3dzIFBvd2VyU2hlbGwiPgo8U2Vs ZWN0IFBhdGg9IldpbmRvd3MgUG93ZXJTaGVsbCI+Kjwv U2VsZWN0Pgo8L1F1ZXJ5Pgo8L1F1ZXJ5 TGlzdD4=

  2. Add the following code to your command line installer:

    c:\wincollect-7.2.8 -91.exe /s /v"/qn STATUSSERVER=<valid IP address>LOG_SOURCE_AUTO_CREATIONENABLED=True

    LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component Action=create&

    Component1.LogSourceName=%COMPUTERNAME%&Component1. LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1 .EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=<valid IP address>&

    Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1 .Log.Security=true&Component1 .Log.System=true&

    Component1.Log.Application=true&Component1.Log.DNS+Server=false&Component1. Log.File+Replication+Service=false&

    Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=3000&

    Component1.MinLogsToProcessPerPass=1250&Component1. MaxLogsToProcessPerPass=2500&

    Component1.CustomQuery.Base64=<base64 Xpath>&

    Component1.EventRateTuningProfile=High+Event+Rate+Server"""

    Note:

    Replace the following entries with valid IP addresses:

    STATUSSERVER=<valid IP address>

    Component1.Dest.Hostname=<valid IP address>

    STATUSSERVER is the location where the WinCollect agent sends status messages (such as WinCollect service starting or any agent error messages). Component1.Dest.Hostname is the location where the agent sends event logs (such as JSA EC or Console).

    Note:

    Replace the following entry with the base64 conversion you created in 1:

    Component1.CustomQuery.Base64=<base64 Xpath>

  3. Add or remove any of the Components or event logs you want to collect.