What could be the issue for this error in WinCollect Agent.
I am trying to setup a new log source that is supposed to send logs to my wincollect agent.
However soon as I set it up, this is the error I got:
log=System.WinCollectSvc.Service msg=Config change (or patch) download failed validation. Not applying.
What could be the issue on this?
I'm looking in to this question further, but this is likely something that should be reviewed by support. I don't think there is enough information here to make a determination as to what to do without seeing the full logs from both WinCollect and the QRadar managed host logs. There is typically another error message on the WinCollect side WinCollect.log that includes more information. I would get a case opened with QRadar Support for this issue.
This problem could be due to an MD5 sum not matching the bundle, network timeouts, a cipher/ SSL handshake problem, or another issue with the configuration server that provides the tgz file to the remote Windows host that has the agent installed. Typically, the way this works is that you make changes to a log source and the configuration server packages the changes up for the remote WinCollect agent in a .tgz file. This bundle is pushed down to the remote agent via port 8413 to be unpacked and update the log source configuration/software. There are checks to ensure that the md5 sum of the file created and the tgz version on the Windows host is valid during the transfer or if there were timeout issues related to getting the remote file. If this cannot occur, or another issue is preventing the agent from sending the tgz update bundle to the WinCollect agent, then there should be more info in the logs.
There is usually a line above that includes more details, for example:
ERROR System.ConfigurationPatchStrategy : An error occured when attempting toretrieve the software update from the server: Code: 0x80000004 Reason: The configuration server did not respond within a reasonable amount of time or the connection was terminated unexpectedly
WARN System.WinCollectSvc.Service : Config change (or patch) download failed validation. Not applying.
The above text is where there might be a Status Server event that appears as an ERROR line above the warning message you listed. I think this should likely be reviewed by support so we can validate the error messages and confirm why the updates are not being pushed down to the WinCollect agent as expected.
Let me know if you have any questions on this issue or about anything I described in this post.
~ Jonathan