Follow

Check the Status of the Alert Logic Agent | How To

Description

The following article describes how to verify that the Alert Logic® Universal agent, Alert Logic Log Manager™ agent, or Alert Logic Threat Manager™ agent is properly connected and configured.

This information could be useful when installing the Alert Logic agent on a machine or if the agent does not display in the Alert Logic user interface (UI).

Solution

  1. To verify whether the Alert Logic agent is running, run one of the following commands:

    Linux
    Universal agent: /etc/init.d/al-agent status
    Legacy Log Manager agent: /etc/init.d/al-log-agent status
    Legacy Threat Manager agent: /etc/init.d/al-threat-host status

    Windows
    Universal agent: sc query al_agent
    Legacy Log Manager agent: sc query al_log_agent
    Legacy Threat Manager agent: sc query "AL Threat Agent"

    Note:
    These commands help you determine if the Alert Logic agent is running but do not help you determine if the agent is connected. 

  2. To verify that the Alert Logic agent has been properly configured, the print-config command can be run for the agent executable. If the Alert Logic agent is registered, it prints a non-blank host uuid.

    The agent executables are as follows:

    Universal agent: al-agent
    Legacy Log Manager agent: al-log-agent
    Legacy Threat Manager agent: al-threat-agent

    Note: For windows, the agents have .exe extensions. The agent executables are located in the same directory as the logs listed in step 3.  

  3. If additional troubleshooting is necessary from the agent side, the only way to tell if the agent is connected is to look at the local logs.

    The default directories for the log files are as follows:

    Linux
    Universal agent: /var/alertlogic/lib/agent/bin
    Legacy Log Manager agent: /var/alertlogic/lib/log-agent/bin
    Legacy Threat Manager agent: /var/alertlogic/lib/threat-agent/bin

    Windows
    Universal agent: C:\Program Files\AlertLogic\agent for x86 builds or C:\Program Files (x86)\AlertLogic\agent for amd64 builds
    Legacy Log Manager agent: C:\Program Files\AlertLogic\log-agent for x86 builds or C:\Program Files (x86)\AlertLogic\log-agent for amd64 builds
    Legacy Threat Manager agent: C:\Program Files\AlertLogic\ThreatManager for x86 builds or C:\Program Files (x86)\AlertLogic\ThreatManager for amd64 builds

    A log file is saved per instance, and the master's log file is named "master.log". These logs are written only until the agent successfully connects. At that point, the "Local logging disabled" message is inserted into the log file, and the log is closed. 

    Note: This process is not a completely reliable indicator of the status of the Alert Logic agent, because the log files are limited to 8 MB by default, at which point they are closed. 

  4. You can also review the status of sources in the Alert Logic UI or via an API. Refer to the Get Source document for instructions on retrieving data for a specific log source ID via an API.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.