Agent and Sensor Overview

  • Updated on Jul 3, 2024
  • 2 minute(s) read
Prev Next

Agent installation and deployment

The running piece of software that collects our Linux EDR telemetry on endpoints is known as an agent, or sensor.

1. From the navigation menu, click Endpoints, and then click Deploy Sensors.

For a complete guide and system requirements, see Deploy an EDR sensor agent.

Agent commands

Run the following command from the installation directory.

cfsvcd -h

Expected output and command options.

Red Canary, Inc.

USAGE:
 cfsvcd [FLAGS] [OPTIONS]

FLAGS:
 -h, --help Prints help information
 -V, --version Prints version information
 -v, --verbose Enable verbose logging

OPTIONS:
 -o, --offload-target  Set the offload target [default: AWS] [possible values: AWS, Disk]

Agent debugging

Note: The command you use may need to be adjusted depending on the distribution on which Red Canary Linux EDR is installed. 

  • Systemd distributions use systemctl for services management.

  • Other distributions may use init and the service command.

  • Upstart uses initctl.

  • While service commands function in systemd distributions, init distributions cannot interpret systemctl commands.

When following these steps, please first verify which command is applicable to your distribution.

Confirm the agent is running

Run:

systemctl status cfsvcd 

Expected output:

“Active:” ... “active (running)” 

Check that the log entries (the lines beginning with timestamps) don’t indicate any error conditions. If there are no error conditions, you should still see systemd entries indicating that the service started, and cfsvcd entries indicating that it located the config.json file. and is continuing execution.

If your distribution uses Upstart, run:

initctl status cfsvcd

If your distribution uses init, run:

service cfsvcd status

Note: If Sensor Auto-Upgrade is enabled, check cwp.service

Systemd example:

systemctl status cwp.service

Confirm the agent has network connectivity 

Run:

nc -z any_arbitrary_bucket.s3.amazonaws.com 443

Install nc command if necessary. If no output is printed as a result of the command, network connectivity is available.

Confirm the agent has initialized 

Run:

file /opt/redcanary/spool

The directory shown above is created upon the first upload attempt. It is emptied when an upload succeeds, so there may be no contents. If it does contain several entries, there may be a problem uploading telemetry. Note that during normal operation, one or two entries might briefly appear.

Manually stop the agent

To manually stop the agent, run:

sudo systemctl stop cfsvcd

If your distribution uses Upstart, run:

sudo initctl stop cfsvcd

If your distribution uses init, run:

sudo service cfsvcd stop

Note: If Sensor Auto-Upgrade is enabled, stop the cwp.service

Systemd example:

systemctl stop cwp.service

Manually start the agent

To manually start the agent, run:

sudo systemctl start cfsvcd

If your distribution uses Upstart, run:

sudo initctl start cfsvcd

If your distribution uses init, run:

sudo service cfsvcd start

Note: If Sensor Auto-Upgrade is enabled, start the cwp.service

Systemd example:

systemctl start cwp.service

Enable Safe Mode

To manually enable Safe Mode through the command line, run:

/opt/redcanary/cfctl safe --enable

Disable Safe Mode

To disable Safe Mode and return the agent to normal operation through the command line, run:

/opt/redcanary/cfctl safe --disable