ACSIA Help Center

Guide for Verifying Installed Security Agents on GNU/Linux and Windows Systems

Mario Filice
Mario Filice
  • Updated

This document outlines the steps for verifying installed security agents on both GNU/Linux and Windows systems to ensure that your devices are correctly monitored on ACSIA SOS.

 


What to Check After the Device is Installed?

  1. The device should appear in the Devices section of ACSIA SOS.
  2. In the device details, you should see the Asset Inventory.

If either of these points is not satisfied, follow the instructions below to fix it.

 


Preliminary Steps

First, make sure the system requirements are met:

  • It is important to check that the device can connect to ports 1514, 443, 80, and the domain https://app.xdrplus.com/.
    • Port 1514 is used for sending logs.

For more information, refer to the ACSIA SOS Requirements.

 


How to Verify the Connection

On a GNU/Linux machine:

tail -f /var/ossec/logs/ossec.log
On a Windows machine:

Check the log file at:
C:\Program Files (x86)\ossec-agent\ossec.log

 

Possible Error:

ERROR: Unable to connect to 20.71.232.202:1514/tcp: Connection timed out

Try using the telnet command:

telnet 20.71.232.202 1514
  • If the connection fails, you need to open port 1514.

 


If the Device Does Not Appear on ACSIA SOS UI

Check if the device can reach the domain:
https://app.xdrplus.com/

Ports to check: 1514, 80, 443.

Also, review the logs here:
C:\ProgramData\Xdrplus\Agent\log

 


If Issues Persist, Check the Following Logs and Services

1. Logs to Check

The agent uses several plugins: Suricata, Falco, and Wazuh. The relevant logs are:

Name GNU/Linux Windows
Agent Logs /var/lib/xdrplus-agent/logs/ C:\ProgramData\Xdrplus\Agent\logs\agent.log (PowerShell: Get-Content C:\ProgramData\Xdrplus\Agent\logs\agent.log -Wait -Tail 100)
Suricata Logs /var/log/suricata/*.log C:\Program Files\Suricata\log\*.log
Falco Logs /var/log/falco.log Not present
Wazuh Logs /var/ossec/logs/ossec.log C:\Program Files (x86)\ossec-agent\logs

2. Services to Verify

Name Windows GNU/Linux
xdrplus-agent Check the Xdrplus-agent service in Services.msc systemctl status xdrplus-agent.service
suricata Check the Suricata service in Services.msc systemctl status suricata.service
wazuh-agent Check the Wazuh service in Services.msc systemctl status wazuh-agent.service
falco Not present systemctl status falco.service or systemctl status falco-kmod.service (On some systems, the service name may differ)
Sysmon64 Check the Sysmon64 service in Services.msc Not present

3. Installed Software

On GNU/Linux:

Name Command for RedHat Command for Debian/Ubuntu
xdrplus-agent `sudo yum list installed grep -i xdrplus`
suricata `sudo yum list installed grep -i suricata`
wazuh-agent `sudo yum list installed grep -i wazuh`
falco `sudo yum list installed grep -i falco`

On Windows:

Name Version
xdrplus-agent  
Wazuh Agent Version 4.4.5
Suricata Version 5.0.3 or higher
Npcap Version 0.96
Sysmon Version 15.0 or higher

 

Open a ticket on the Zendesk portal if you need support.