Check for Unhealthy Agents: File exists [17] Error

Beginning with Linux Agent 2.3.4, you can check which Agent components are running and whether or not the Agent is in a healthy state.

The Agent runs its own version of auditd, which sends audit activity to the F5 Distributed Cloud App Infrastructure Protection (AIP) platform to generate events and alert data. The Agent and the host operating system (OS), auditd, can conflict over the use of the kernel socket to consume this audit information. The Agent Health Status feature indicates if you have hosts experiencing this conflict by displaying DOWN.

Note

Agent Health displays on the Servers page under the Agent Health column. If you do not see this column on Distributed Cloud AIP, click the Edit Columns button and select a server. Selecting a server displays a pop-up window that contains information about the Agent components and indicates which services are Up, Down, or Disabled. For information about how to display this column, see Select and Sort Columns on Servers Page.

Error: File Exists [17]

One sign that the Agent is experiencing an audit socket conflict is when you receive the error:

"msg":"/opt/threatstack/sbin/tsauditd /opt/threatstack/etc/tsauditd.cfg exited with error (1)"

followed by:

"msg":"File exists [17]..."

You can see this in the Agent's log file /opt/threatstack/log/tsagentd.log, which contains logs of the operation of a running tsagentd daemon process.

To isolate the conflicting process, run:

/opt/threatstack/sbin/auditctl -s

This should return output similar to:

enabled 1
failure 0
pid <pid_number>
rate_limit 100000
backlog_limit 150000
lost 0
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked

You can now take the pid <pid_number> and grep for the process that is using the audit socket:

ps -ef | grep <pid_number>

Depending on the output from the ps command, you may find:

  • auditd is still running on the underlying host
  • the underlying host has an Agent installed as well as the container running on said host
  • another auditing Agent is installed in the environment that also uses the socket
Was this article helpful?
0 out of 0 found this helpful