ACSIA Help Center

Verifying Installed Agents on GNU/Linux and Windows

Mario Filice
Mario Filice
  • Updated

This document outlines the steps for verifying installed security agents on both GNU/Linux and Windows systems.

1. Logs to check:

Name GNU/Linux Windows
Agent Logs Directory /var/lib/xdrplus-agent/logs

C:\ProgramData\Xdrplus\Agent\logs\agent.log (Run the following command in PowerShell (as administrator): Get-Content C:\ProgramData\Xdrplus\Agent\logs\agent.log -Wait -Tail 100)

Suricata Logs /var/log/suricata/*.log C:\Program Files\Suricata\log\*.log
Falco Logs /var/log/falco.log Not present
Wazuh /var/ossec/logs/ossec.log C:\Program Files (x86)\ossec-agent\logs

 

2. Services to Verify:

 

Name Windows GNU/Linux
xdrplus-agent

Verify on Services.msc the Xdrplus-agent service

systemctl status xdrplus-agent.service

suricata

Verify on Services.msc the Suricata

service

systemctl status suricata.service

wazuh-agent

Verify on Services.msc the Wazuh

service

systemctl status wazuh-agent.service

falco

Not present

systemctl status falco.service or 

systemctl status falco-kmod.service (On some systems, falco.service might not exist. In that case, use this command, as the service might be named differently)

Sysmon64

Verify on Services.msc the

Sysmon64

service

Not present

 

 

3. Installed Software:

Linux:

Name
Command for Redhat 
Command for Debian and Ubuntu
xdrplus-agent
sudo yum list installed |grep -i xdrplus
apt list --installed |grep xdrplus
suricata
sudo yum list installed |grep -i suricata
apt list --installed |grep suricata
wazuh-agent
sudo yum list installed |grep -i wazuh
apt list --installed |grep wazuh
falco
sudo yum list installed |grep -i falco
apt list --installed |grep falco

 

Windows:

Name Version
xdrplus-agent  
Wazuh Agent 4.4.5
Suricata  version 5.0.3 o major
Npcap  version 0.96
Sysmon version 15.0 o major