The following article describes how to verify that the Alert Logic® Universal agent, Alert Logic Log Manager™ agent, or Alert Logic Threat Manager™ agent is properly connected and configured.
This information could be useful when installing the Alert Logic agent on a machine or if the agent does not display in the Alert Logic user interface (UI).
- To verify whether the Alert Logic agent is running, run one of the following commands:
Universal agent: /etc/init.d/al-agent status
Legacy Log Manager agent: /etc/init.d/al-log-agent status
Legacy Threat Manager agent: /etc/init.d/al-threat-host status
Universal agent: sc query al_agent
Legacy Log Manager agent: sc query al_log_agent
Legacy Threat Manager agent: sc query "AL Threat Agent"
Note: These commands help you determine if the Alert Logic agent is running but do not help you determine if the agent is connected.
- To verify that the Alert Logic agent has been properly configured, the print-config command can be run for the agent executable. If the Alert Logic agent is registered, it prints a non-blank host uuid.
The agent executables are as follows:
Universal agent: al-agent
Legacy Log Manager agent: al-log-agent
Legacy Threat Manager agent: al-threat-agent
Note: For windows, the agents have .exe extensions. The agent executables are located in the same directory as the logs listed in step 3.
- If additional troubleshooting is necessary from the agent side, the only way to tell if the agent is connected is to look at the local logs.
The default directories for the log files are as follows:
Universal agent: /var/alertlogic/lib/agent/bin
Legacy Log Manager agent: /var/alertlogic/lib/log-agent/bin
Legacy Threat Manager agent: /var/alertlogic/lib/threat-agent/bin
Universal agent: C:\Program Files\AlertLogic\agent for x86 builds or C:\Program Files (x86)\AlertLogic\agent for amd64 builds
Legacy Log Manager agent: C:\Program Files\AlertLogic\log-agent for x86 builds or C:\Program Files (x86)\AlertLogic\log-agent for amd64 builds
Legacy Threat Manager agent: C:\Program Files\AlertLogic\ThreatManager for x86 builds or C:\Program Files (x86)\AlertLogic\ThreatManager for amd64 builds
A log file is saved per instance, and the master's log file is named "master.log". These logs are written only until the agent successfully connects. At that point, the "Local logging disabled" message is inserted into the log file, and the log is closed.
Note: This process is not a completely reliable indicator of the status of the Alert Logic agent, because the log files are limited to 8 MB by default, at which point they are closed.
- You can also review the status of sources in the Alert Logic UI or via an API. Refer to the Get Source document for instructions on retrieving data for a specific log source ID via an API.