This guide provides step-by-step instructions to verify if the security agents installed on your GNU/Linux and Windows systems are properly configured for monitoring on ACSIA SOS.
Post-Installation Checklist
After installing the agent, verify the following on ACSIA SOS platform (https://app.xdrplus.com/):
- Device Visibility: Ensure the device appears in the "Devices" section list.
- Asset Inventory: The Asset Inventory should be visible in the device details.
If either of these conditions is not met, follow the troubleshooting steps below.
Preliminary Requirements
Ensure the following prerequisites are met:
Check connection Requirements
Verify that the device can connect to the following ports and domain:
- Ports: 1514 (for log transmission), 443, and 80
-
Domain:
https://app.xdrplus.com/(ACSIA SOS platform)
To further validate connections:
- Check Wazuh connectivity by visiting
https://packages.wazuh.comon the device browser. - Check Suricata connectivity by visiting
https://www.openinfosecfoundation.orgon the device browser.
Check Operating System Requirements
For Windows 2008 R2 (Windows 7) 64-bit systems:
- Install the following updates: KB2533623, KB3033929, KB3138612, KB2999226
- Install .NET Framework 4.8 for proper agent functionality.
Refer to the full ACSIA SOS Requirements for more details.
Log Verification
On GNU/Linux Systems
Run the following command to monitor connection logs:
On Windows Systems
Check the log file located at:
Common Error in Logs
Error Message:
ERROR: Unable to connect to 147.78.97.58:1514/tcp: Connection timed out
To test the connection:
- Use the
telnetcommand: - If the connection fails, ensure that port 1514 is open.
If the Device Does Not Appear on ACSIA SOS UI
If the device is not appearing in ACSIA SOS:
- Verify connectivity to the domain:
https://app.xdrplus.com/. - Check that ports 1514, 80, and 443 are accessible.
- Review the logs at:
Additional Logs and Services to Check
1. Relevant Logs
Check the following logs for each component:
| Component | GNU/Linux Log Path | Windows Log Path |
|---|---|---|
| Agent Logs | /var/lib/xdrplus-agent/logs/ |
C:\ProgramData\Xdrplus\Agent\logs\agent.log (PowerShell: Get-Content C:\ProgramData\Xdrplus\Agent\logs\agent.log -Wait -Tail 100) |
| Suricata Logs | /var/log/suricata/*.log |
C:\Program Files\Suricata\log\*.log |
| Falco Logs | /var/log/falco.log |
Not present |
| Wazuh Logs | /var/ossec/logs/ossec.log |
C:\Program Files (x86)\ossec-agent\logs |
2. Services Verification
Check the status of each service:
| Service | Windows Command | GNU/Linux Command |
|---|---|---|
| xdrplus-agent | Check the Xdrplus-agent service in Services.msc | systemctl status xdrplus-agent.service |
| suricata | Check the Suricata service in Services.msc | systemctl status suricata.service |
| wazuh-agent | Check the Wazuh service in Services.msc | systemctl status wazuh-agent.service |
| falco | Not present on Windows Systems |
systemctl status falco.service or systemctl status falco-kmod.service (On some systems, the service name may differ) |
| Sysmon64 | Check the Sysmon64 service in Services.msc | Not present |
3. Installed Software Verification
For each component, use the following commands to verify installation:
GNU/Linux Systems:
| Name | Command |
|---|---|
| xdrplus-agent | sudo yum list installed | grep -i xdrplus |
| suricata | sudo yum list installed | grep -i suricata |
| wazuh-agent | sudo yum list installed | grep -i wazuh |
| falco | sudo yum list installed | grep -i falco |
Windows Systems:
| Name | Version |
|---|---|
| xdrplus-agent | version 7.5.0 |
| Wazuh Agent | Version 4.4.5 |
| Suricata | Version 5.0.3 or higher |
| Npcap | Version 0.96 |
| Sysmon | Version 15.0 or higher |
Open a ticket on the Zendesk portal if you need support.