FAQ: What do I do if my Agent disconnects?

Follow

The Threat Stack Agent 1.x series includes functionality that continues to store event data locally if the Agent on the host disconnects from Threat Stack backend processes. No data is lost during the disconnect.

The Agent may disconnect from Threat Stack backend processes due to the following reasons:

  • Connectivity between your infrastructure and Threat Stack’s infrastructure
  • Resource load on your I/O
  • An issue in Threat Stack’s infrastructure

Agent_disconnect_FAQ.jpg

The Agent constantly collects events from the kernel and places them in log files on your local system. The events are stored in /etc/threatstack/cloudsight/logs/tsaudit.log. The Threat Stack Connection service then pushes those events from the log files to the Threat Stack ingestion engine. Once consumed by the ingestion engine, the events are removed from the audit log file.

If a disconnect occurs between the Agent and the Threat Stack backend processes, then events continue to record locally in /etc/threatstack/cloudsight/logs/tsaudit.log. If the file size limit of 50 MB is reached, a second log file begins recording with the naming scheme “tsaudit.log1.”

Note

The maximum number of log files created (tsaudit.log, tsaudit.log2….tsaudit.logN) is configurable via the “num_logs” setting in the /opt/threatstack/etc/audit.config.json file.

Once the Agent reconnects to the Threat Stack backend, the Threat Stack Connection service begins feeding all of the recorded events, beginning with the oldest, to the Threat Stack ingestion engine. No data is lost.

Warning

Do not stop the Threat Stack Agent during the disconnect. Any time the Agent stops, the log file(s) clear. During a disconnect, a stop clears the log file(s) before they can be pushed by the Threat Stack Connection service and data is lost.

The following is an example of a Threat Stack Agent event log of a network disconnect which self-recovers within a few seconds.

{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 28016,
"level": 30,
"msg": "Agent disconnected",
"time": "2018-09-10T15:57:25.392Z",
"v": 0
}
{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 29935,
"level": 30,
"msg": "Connecting to Threat Stack platform: https://cssensors.threatstack.com/bouncers agent_id=xxxx",
"time": "2018-09-10T15:57:35.972Z",
"v": 0
}
{
"name": "threatstack-agent",
"hostname": "xxxx",
"pid": 29935,
"level": 30,
"msg": "Agent connected",
"time": "2018-09-10T15:57:37.696Z",
"v": 0
}
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.