Agent and Sensor Overview
- 03 Jul 2024
- 2 Minutes to read
- PDF
Agent and Sensor Overview
- Updated on 03 Jul 2024
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Agent installation and deployment
The running piece of software that collects our Linux EDR telemetry on endpoints is known as an agent, or sensor.
1. From the navigation menu, click Endpoints, and then click Deploy Sensors.
For a complete guide and system requirements, see Deploy an EDR sensor agent.
Agent commands
Run the following command from the installation directory.
cfsvcd -h
Expected output and command options.
Red Canary, Inc. USAGE: cfsvcd [FLAGS] [OPTIONS] FLAGS: -h, --help Prints help information -V, --version Prints version information -v, --verbose Enable verbose logging OPTIONS: -o, --offload-target Set the offload target [default: AWS] [possible values: AWS, Disk]
Agent debugging
Note: The command you use may need to be adjusted depending on the distribution on which Red Canary Linux EDR is installed.
Systemd distributions use systemctl for services management.
Other distributions may use init and the service command.
Upstart uses initctl.
While service commands function in systemd distributions, init distributions cannot interpret systemctl commands.
When following these steps, please first verify which command is applicable to your distribution.
Confirm the agent is running
Run:
systemctl status cfsvcd Expected output:
“Active:” ... “active (running)” Check that the log entries (the lines beginning with timestamps) don’t indicate any error conditions. If there are no error conditions, you should still see systemd entries indicating that the service started, and cfsvcd entries indicating that it located the config.json file. and is continuing execution.
If your distribution uses Upstart, run:
initctl status cfsvcdIf your distribution uses init, run:
service cfsvcd statusNote: If Sensor Auto-Upgrade is enabled, check cwp.service.
Systemd example:
systemctl status cwp.serviceConfirm the agent has network connectivity
Run:
nc -z any_arbitrary_bucket.s3.amazonaws.com 443Install nc command if necessary. If no output is printed as a result of the command, network connectivity is available.
Confirm the agent has initialized
Run:
file /opt/redcanary/spoolThe directory shown above is created upon the first upload attempt. It is emptied when an upload succeeds, so there may be no contents. If it does contain several entries, there may be a problem uploading telemetry. Note that during normal operation, one or two entries might briefly appear.
Manually stop the agent
To manually stop the agent, run:
sudo systemctl stop cfsvcdIf your distribution uses Upstart, run:
sudo initctl stop cfsvcdIf your distribution uses init, run:
sudo service cfsvcd stopNote: If Sensor Auto-Upgrade is enabled, stop the cwp.service.
Systemd example:
systemctl stop cwp.serviceManually start the agent
To manually start the agent, run:
sudo systemctl start cfsvcdIf your distribution uses Upstart, run:
sudo initctl start cfsvcdIf your distribution uses init, run:
sudo service cfsvcd startNote: If Sensor Auto-Upgrade is enabled, start the cwp.service.
Systemd example:
systemctl start cwp.serviceEnable Safe Mode
To manually enable Safe Mode through the command line, run:
/opt/redcanary/cfctl safe --enableDisable Safe Mode
To disable Safe Mode and return the agent to normal operation through the command line, run:
/opt/redcanary/cfctl safe --disable
Was this article helpful?
