Devo The Endpoint Agent works based in on “packs”, a defined set of queries that will be are periodically executed periodically in the targeted endpoints existing that exist in the Devo Endpoint Manager. While a user you can create your own queries in the EA Endpoint Agent Manager interface, the following table depicts outlines the preconfigured packs delivered with the default package that will be parsed properly in Devo:
Pack name | Queries | Type | Description |
|---|---|---|---|
DevoConfigurationPack | configuration_disk_info | Snapshot | Physical disks of the system |
configuration_windows_software | Snapshot | Software installed list (Windows) | |
configuration_windows_software_choco | Snapshot | Software installed using Choco (Windows) | |
existing_users* | Incremental | User list incremental | |
existing_users_snapshot* | Snapshot | User list snapshot | |
existing_groups* | Incremental | Group list incremental | |
existing_groups_snapshot* | Snapshot | Group list snapshot | |
existing_users_groups* | Incremental | Correspondence between users and groups | |
existing_users_groups_snapshot* | Snapshot | Correspondence between users and groups (snapshot) | |
system_info | Snapshot | Computer identification and hardware info | |
configuration_network | Snapshot | Information about networks in the system | |
operating_system | Snapshot | Operating system information | |
DevoEventsPack | all_windows_events | Incremental | List of Windows Events (Application, Security, System, Setup), tagged by type |
powershell_win_operational_events | Incremental | Powershell (Windows) events, tagged | |
other_sources_win_events | Incremental | Other Windows events tagged as “other_sources”. These events will show up in box.devo_ea.events_windows | |
all_linux_syslog_events | Incremental | Events gathered in syslog for linux-based systems | |
DevoStatusPack | logged_in_users | Incremental | Users logged in the system (incremental) |
logged_in_users_snapshot | Snapshot | Users logged in the system (snapshot) | |
running_process_snapshot | Snapshot | Running processes list (snapshot) | |
running_process | Incremental | Running processes (incremental) | |
running_process_metrics | Incremental (no removals) | Details about running processes | |
listening_ports | Snapshot | Open network ports in the system | |
process_open_sockets | Snapshot | Open sockets by processes | |
DevoPerformancePack | devo_systat_cpu | Snapshot | CPU and memory load information |
devo_systat_iodisk | Snapshot | Disk read/write load | |
devo_systat_network | Snapshot | Network sent/receive traffic | |
devo_systat_usagedisk | Snapshot | Disk capacity used and free | |
DevoFetchFilesPack | files_content | Snapshot | Last file contents read by fetchfiles |
ffext_files_info | Snapshot | Files and folders to process by fetchfiles | |
ffext_files_config | Snapshot | Fetchfiles configuration |
...
| Info |
|---|
macOS users Since macOS 10.15, there is a new Event System in macOS systems (Unified Logging System) that deprecates the existing ASL. The data existing in ASL can still be queried but due to the lack of reliability, it is not consumed by default. The Endpoint Agent does not support consuming data from the new API for Unified Logging System and it will be is supported in future versions. Other queries not related to Unified Logging System can be done normally. |
(*) It has been detected noted that queries to tables users and groups have a significant impact on resource usage when the EA Endpoint Agent is deployed in Windows Domain Controllers with a large number of users and/or groups. If this is your casehappens to you, use the EA Endpoint Agent carefully and disable these queries if the agent does not behave properly.
...