FAQ: What do I do if my Agent disconnects?

The F5 Distributed Cloud App Infrastructure Protection (AIP) Agent includes functionality that continues to store event data locally if the Agent on the host disconnects from Distributed Cloud AIP backend processes. No data is lost during the disconnect.

The Agent may disconnect from Distributed Cloud AIP backend processes due to the following reasons:

  • Connectivity between your infrastructure and Distributed Cloud AIP's infrastructure
  • Resource load on your I/O
  • An issue in Distributed Cloud AIP's infrastructure

Agent_disconnect_FAQ-AIP.png

The Agent constantly collects events from the kernel and places them in log files on your local system. The events are stored in /etc/threatstack/cloudsight/logs/tsaudit.log. The Distributed Cloud AIP Connection service then pushes those events from the log files to the Distributed Cloud AIP ingestion engine. Once consumed by the ingestion engine, the events are removed from the audit log file.

If a disconnect occurs between the Agent and the Distributed Cloud AIP backend processes, then events continue to record locally in /etc/threatstack/cloudsight/logs/tsaudit.log. If the file size limit of 50 MB is reached, a second log file begins recording with the naming scheme “tsaudit.log1.”

Note

The maximum number of log files created (tsaudit.log, tsaudit.log2….tsaudit.logN) is configurable via the “num_logs” setting in the /opt/threatstack/etc/audit.config.json file.

Once the Agent reconnects to the Distributed Cloud AIP backend, the Distributed Cloud AIP Connection service begins feeding all of the recorded events, beginning with the oldest, to the Distributed Cloud AIP ingestion engine. No data is lost.

Warning

Do not stop the Distributed Cloud AIP Agent during the disconnect. Any time the Agent stops, the log file(s) clear. During a disconnect, a stop clears the log file(s) before they can be pushed by the Distributed Cloud AIP Connection service and data is lost.

The following is an example of a Distributed Cloud AIP Agent event log of a network disconnect which self-recovers within a few seconds.

{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 28016,
"level": 30,
"msg": "Agent disconnected",
"time": "2018-09-10T15:57:25.392Z",
"v": 0
}
{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 29935,
"level": 30,
"msg": "Connecting to Threat Stack platform: https://cssensors.threatstack.com/bouncers agent_id=xxxx",
"time": "2018-09-10T15:57:35.972Z",
"v": 0
}
{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 29935,
"level": 30,
"msg": "Agent connected",
"time": "2018-09-10T15:57:37.696Z",
"v": 0
}
Was this article helpful?
0 out of 0 found this helpful