If you're using Alert Logic® in the Cloud, you're likely deploying the Alert Logic Agent. Read on to gain a greater understanding of what the Alert Logic Agent is used for and why it is so important.
Alert Logic utilizes agents within our network intrusion detection system (IDS) and log management services as the means of collecting host information from our customers and clients. The agents copy only the necessary information and send it back to Alert Logic for analysis. In the simplest terms, agents are the means that our network IDS and log management services use to collect data and logs about network activity taking place within your protected environments.
The network IDS aspect of the agent binds to the network interface of the machine on which the agent has been installed and collects copies of the network traffic sent to and from the host.
The log management aspect of the agent collects logs from host machines where the agent is installed. It is integral to the usefulness of both services that agents are installed on your host machines. Without agents, you are potentially limiting Alert Logic's view into your cloud environment.
Agents are required for the network IDS and log management services to work properly in a cloud environment. In on-premises environments, however, agents are not required, but can be helpful. With network IDS, agents provide more insight into the traffic seen at a host level, beyond mere traffic in and out of the network. With log management, agents allow for easier deployment and management.
Note: Agents stop caching data after they have been offline for over 90 days.
Pro tip: The network IDS and log management services are, by default, set to auto-update. Make sure that your environments allow for auto-updates! If you do not have automatic updates enabled, then you will need to manually apply updates. Otherwise, agents will not run the latest software. At some point, lack of new updates may cause performance issues. Updates need to be applied to get the full value and effect of new features and functionality.
You need only manage a single install for both services. The Alert Logic Agent's single install makes the installation process more efficient and less resource-intensive on the host.
Agents have little impact and overhead on customer systems. Because they run as a service, the entire system will not need to be rebooted if there is an issue with the agent. In that case, only the agent service would need to be restarted. On top of that, agents use almost no hard drive space.
The Alert Logic Agent periodically checks for log data to send to Alert Logic, based on the log generation rate of the protected host. An agent will check for data as frequently as needed to keep up with the log generation rate, but at least once every 5-10 minutes. If no data has been seen from a specific source (such as a single Event Log stream) for more than two weeks, the check interval increases with a maximum of 12 hours between checks. An agent will attempt to send data more frequently if it detects local log storage space is filling up.
Amazon Linux is supported by the Alert Logic Agent. Amazon Linux instances are highly based on CentOS/Red Hat Linux, which we do currently support and will work to maintain support with the latest available releases. Alert Logic has a number of customers running the agent on Amazon Linux instances.
OS Platforms that support Alert logic agent deployment:
|Windows Server 2019||Jessie (8.x)||8.x||8.x||16||12.1|
|Windows Server 2016||Wheezy (7.x)||7.x||7.x||14.x||12.0|
|Windows Server 2012||Squeeze (6.x)||7.x||7.x||12.x||11.4|
|Windows 10||Lenny (5.x)||5.x||5.x||10.x||11.3|
|Windows Server 2008|
|Windows Server 2003; SP 1|
|Windows (8, 7, Vista)|
|Windows XP; SP 1|
Note: Amazon WorkSpaces is not supported.
Health State Alerts
Note: The following information applies only to Alert Logic customers with Cloud Defender ™ entitlements.
Agents generate health state alerts based on their condition within your environment. Below, learn more about agent health state alerts and what exactly they mean for the agent's current condition.
|New||Agent has registered but is not yet sending traffic.|
|OK||Agent has registered and is sending traffic and functioning as designed.|
|Warning||An application on the host that the agent uses must be updated, but does not impact collection or transport of customer data.|
1) Agent can connect to the backend to transport status, but cannot send traffic to the appliance.
2) Agent has been orphaned. This is an agent that was assigned to an appliance but was erased, either intentionally or otherwise.
1) Agent cannot connect to the appliance.
2) Agent cannot connect to the backend to transport status.