Check for Unhealthy Agents: networkTracer DOWN

With the Linux Agent 3.0.0 release, F5 Distributed Cloud App Infrastructure Protection (AIP) includes a new eBPF component that reports additional network telemetry. eBPF safely and efficiently extends the Linux kernel’s capabilities without requiring you to change the kernel’s existing code or modules and allows you to add additional capabilities to the operating system (OS) at runtime.

Note

Agent Health displays on the Servers page under the Agent Health. column. If you do not see this column on Distributed Cloud AIP, click the Edit Columns button and select a server. Selecting a server displays a pop-up window that contains information about the Agent components and indicates which service is Up, Down, or Disabled. For information about how to display this column, see Select and Sort Columns on Servers Page.

There are two indicators of a misconfiguration with networkTracer:

  • If you see this error message when you check /opt/threatstack/log/tsagentd.log:
"cannot open kprobe_events: open /sys/kernel/debug/tracing/kprobe_events: no such file or directory\n"
  • When Network Tracer is DOWN. To check the Network Tracer's status, run the following command:
    sudo tsagent status

Resolution

If you see the above error message or the Network Tracer is DOWN, you may need to mount debugfs on this host.

To check whether debugfs is mounted, run the following command:

sudo mount | grep debug

If debugfs is not reported in the command output within a Host environment:

  1. Run the following command:
    sudo mount -t debugfs debugfs /sys/kernel/debug
  2. Restart the Agent.

If debugfs is not reported in the command output within a Container environment:

  1. Stop the container.
  2. Remove the container.
  3. Run and mount the command above.
  4. Recreate the container with the following bind mount in the host filesystem:
    /sys/kernel/debug
Was this article helpful?
0 out of 0 found this helpful