Agent 3.x Series Commands

The Linux Agent 3.0.0 introduced new Command Line commands.

Important

You must restart your Agent after making any configuration changes to ensure that the changes take effect. To restart the Agent, run the following command:
sudo systemctl restart threatstack

Agent 3.x command Description of command
sudo tsagent setup --deploy-key=foo --ruleset=”Base Rule Set” --hostname=”<Your Hostname>”

Replace <Your Hostname> with your AWS hostname.

Link the Agent with the AIP backend

sudo initctl start threatstack (for Amazon Linux 1 OS)

sudo systemctl start threatstack (for all OSs except Amazon Linux 1)

Start the AIP Agent

sudo initctl stop threatstack (for Amazon Linux 1 OS)

sudo systemctl stop threatstack (for all OSs except Amazon Linux 1)

 

Stop the AIP Agent
sudo tsagent status Get the status of the AIP Agent
sudo tsagent config --set enable_containers 1 Enable container monitoring
sudo tsagent config --set enable_kubes 1 Enable Kubernetes monitoring
sudo tsagent config --set log.level debug Change the logging level of the AIP Agent.

Allowable values:

  • info (this is the default level)
  • fatal
  • error
  • warn
  • debug
  • trace

After you change the logging level, you must restart the Agent.

sudo tsagent pprof profile --seconds = <number of seconds to profile for> > cpu.pprof

Tells the AIP Agent to write CPU profiler data to the selected path. The data can be reviewed with go language tool pprof.

Replace <number of seconds to profile for> with the actual number of seconds.

To enable pprof:

  1. Run the following commands:
    1. sudo tsagent config --set pprof.enabled true
    2. sudo systemctl restart threatstack
    3. sudo tsagent pprof profile --seconds VALUE > cpu.pprof
    4. sudo tsagent pprof heap > heap.pprof
  2. To ensure enablement was successful, check that .pprof files are at least 1KB by running the following command:
    1. ls -l cpu.pprof heap.pprof

To disable pprof:

  1. Run the following commands:
    1. sudo tsagent config --set pprof.enabled false
    2. sudo systemctl restart threatstack
sudo tsagent pprof heap > heap.pprof

Tells the AIP Agent to write memory profiler data to the selected path. The data can be reviewed with go language tool pprof.

To enable pprof:

  1. Run the following commands:
    1. sudo tsagent config --set pprof.enabled true
    2. sudo systemctl restart threatstack
    3. sudo tsagent pprof profile --seconds VALUE > cpu.pprof
    4. sudo tsagent pprof heap > heap.pprof
  2. To ensure enablement was successful, check that .pprof files are at least 1KB by running the following command:
    1. ls -l cpu.pprof heap.pprof

To disable pprof:

  1. Run the following commands:
    1. sudo tsagent config --set pprof.enabled false
    2. sudo systemctl restart threatstack
tsagent info Displays information about the current state of the AIP Agent
tsagent config --get Retrieves value of configuration
tsagent config --list

Lists configuration

tsagent config --set enable_backlog_wait <boolean>

The amount of time, in seconds, the Agent waits before dropping audit events when the system load is very high. By default, this value is 0, which ensures platform stability, but may reduce the level of observability of your audit events when the system load is very high.

tsagent config --set <environment variable> <value>

Replace <environment variable> with one of the allowed options

Configure your Agent with environment, role, and system tags that allow you to search for events and alerts returned from specific environments.

Allowable tags:

  • env
  • role
  • sys

tsagent config --set disable_audit_on_shutdown <boolean>

Replace <boolean> with either true or false

Leaves the Linux kernel’s audit logs enabled when the AIP Agent is stopped when the value is set to “false.”

Disables the Linux kernel’s audit logs when the AIP Agent is stopped when set to “true.”

By default, the value is set to “true.”

tsagent config --help

Lists and explains all settings in your AIP Agent.

tsagent config --set enable_backlog_wait true

Keeps auditctl backlog_wait_time automatically set to its default value (not zero).

Was this article helpful?
0 out of 0 found this helpful