This document outlines the steps for verifying installed security agents on both GNU/Linux and Windows systems to ensure that your devices are correctly monitored on ACSIA SOS.
What to Check After the Device is Installed?
- The device should appear in the Devices section of ACSIA SOS.
- In the device details, you should see the Asset Inventory.
If either of these points is not satisfied, follow the instructions below to fix it.
Preliminary Steps
First, make sure the system requirements are met:
- It is important to check that the device can connect to ports 1514, 443, 80, and the domain https://app.xdrplus.com/.
- Port 1514 is used for sending logs.
For more information, refer to the ACSIA SOS Requirements.
How to Verify the Connection
On a GNU/Linux machine:
tail -f /var/ossec/logs/ossec.log
Check the log file at:C:\Program Files (x86)\ossec-agent\ossec.log
Possible Error:
ERROR: Unable to connect to 20.71.232.202:1514/tcp: Connection timed out
Try using the telnet
command:
telnet 20.71.232.202 1514
- If the connection fails, you need to open port 1514.
If the Device Does Not Appear on ACSIA SOS UI
Check if the device can reach the domain:https://app.xdrplus.com/
Ports to check: 1514, 80, 443.
Also, review the logs here:C:\ProgramData\Xdrplus\Agent\log
If Issues Persist, Check the Following Logs and Services
1. Logs to Check
The agent uses several plugins: Suricata, Falco, and Wazuh. The relevant logs are:
Name | GNU/Linux | Windows |
---|---|---|
Agent Logs | /var/lib/xdrplus-agent/logs/ |
C:\ProgramData\Xdrplus\Agent\logs\agent.log (PowerShell: Get-Content C:\ProgramData\Xdrplus\Agent\logs\agent.log -Wait -Tail 100 ) |
Suricata Logs | /var/log/suricata/*.log |
C:\Program Files\Suricata\log\*.log |
Falco Logs | /var/log/falco.log |
Not present |
Wazuh Logs | /var/ossec/logs/ossec.log |
C:\Program Files (x86)\ossec-agent\logs |
2. Services to Verify
Name | Windows | GNU/Linux |
---|---|---|
xdrplus-agent | Check the Xdrplus-agent service in Services.msc | systemctl status xdrplus-agent.service |
suricata | Check the Suricata service in Services.msc | systemctl status suricata.service |
wazuh-agent | Check the Wazuh service in Services.msc | systemctl status wazuh-agent.service |
falco | Not present |
systemctl status falco.service or systemctl status falco-kmod.service (On some systems, the service name may differ) |
Sysmon64 | Check the Sysmon64 service in Services.msc | Not present |
3. Installed Software
On GNU/Linux:
Name | Command for RedHat | Command for Debian/Ubuntu |
---|---|---|
xdrplus-agent | `sudo yum list installed | grep -i xdrplus` |
suricata | `sudo yum list installed | grep -i suricata` |
wazuh-agent | `sudo yum list installed | grep -i wazuh` |
falco | `sudo yum list installed | grep -i falco` |
On Windows:
Name | Version |
---|---|
xdrplus-agent | |
Wazuh Agent | Version 4.4.5 |
Suricata | Version 5.0.3 or higher |
Npcap | Version 0.96 |
Sysmon | Version 15.0 or higher |
Open a ticket on the Zendesk portal if you need support.