Enable the AgentMonitoringPack

Overview

The AgentMonitoringPack is a new pack that helps with problematic scenarios where the agent is not working as expected, such as slower-than-usual performance or missing events. It retrieves information from several internal osquery tables over time so as to help troubleshoot and determine the cause of the problems.

This pack sends the data to devo.ea.agent.<source> root data structure, here you can check all data tables under this root data structure.

Configuration

To enable this pack you need to create a new pack with the same queries. Follow the steps below:

1. Add a new file called agent_monitoring.yaml in playbooks/roles/deam-packs/files/optional-devo-packs directory (relative to the path where Devo EA Manager was extracted) with the following content:

   ---
   apiVersion: v1
   kind: pack
   spec:
     name: DevoAgentMonitoringPack
     queries:
     - description: Information about the event publishers and subscribers.
       platform: all
       interval: 60
       name: devo_osquery_events
       query: devo_osquery_events
       snapshot: true
     - description: List of active osquery extensions.
       platform: all
       interval: 300
       name: devo_osquery_extensions
       query: devo_osquery_extensions
       snapshot: true
     - description: Configurable flags that modify osquery's behavior.
       platform: all
       interval: 900
       name: devo_osquery_flags
       query: devo_osquery_flags
       snapshot: true
     - description: Top level information about the running version of osquery.
       platform: all
       interval: 3600
       name: devo_osquery_info
       query: devo_osquery_info
       snapshot: true
     - description: Information about the current query packs that are loaded in osquery.
       platform: all
       interval: 900
       name: devo_osquery_packs
       query: devo_osquery_packs
       snapshot: true
     - description: List the osquery registry plugins.
       platform: all
       interval: 300
       name: devo_osquery_registry
       query: devo_osquery_registry
       snapshot: true
     - description: Information about the current queries that are scheduled in osquery.
       platform: all
       interval: 60
       name: devo_osquery_schedule
       query: devo_osquery_schedule
       snapshot: true
     targets:
       labels:
       - All Hosts
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_events
     description: Information about the event publishers and subscribers.
     query: SELECT *, "devo.ea.agent.events_pubsub" AS __devoTag FROM osquery_events;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_extensions
     description: List of active osquery extensions.
     query: SELECT *, "devo.ea.agent.extensions" AS __devoTag FROM osquery_extensions;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_flags
     description: Configurable flags that modify osquery's behavior.
     query: SELECT *, "devo.ea.agent.flags" AS __devoTag FROM osquery_flags;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_info
     description: Top level information about the running version of osquery.
     query: SELECT *, "devo.ea.agent.info" AS __devoTag FROM osquery_info;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_packs
     description: Information about the current query packs that are loaded in osquery.
     query: SELECT *, "devo.ea.agent.packs" AS __devoTag FROM osquery_packs;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_registry
     description: List the osquery registry plugins.
     query: SELECT *, "devo.ea.agent.registry" AS __devoTag FROM osquery_registry;
   ---
   apiVersion: v1
   kind: query
   spec:
     name: devo_osquery_schedule
     description: Information about the current queries that are scheduled in osquery.
     query: SELECT *, "devo.ea.agent.schedule" AS __devoTag FROM osquery_schedule;
   
   

    

2. Save the changes and add the new pack to the inventory file you used for your deployment as in the following code snippet (line 12):

   all:
     vars:
       deam_fqdnname: devo-ea-manager
       deam_admin_passwd: <deam_admin_passwd>
       dea_ap_repo_passwd: <dea_ap_repo_passwd>
       deam_redis_address: localhost:6379
       deam_mysql_address: localhost:3306
       deam_relay_entrypoint: tcp://us.elb.relay.logtrust.net:443
       deam_packs_enabled:
         - configuration.yaml
         - fetchfiles.yaml
         - agent_monitoring.yaml     # New pack
     hosts:
       devo-ea-manager:
         # Set ansible_host your public ip used to conncet from ansbile and devo-ea agents
         ansible_host: <EAM host IP>
         ansible_user: <Server user>
         ansible_ssh_pass: <Super Secure Password>
         # Only required if you connect with password
         ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
         # python3 required for Ubuntu 18 ansible-playbooks
         ansible_python_interpreter: /usr/bin/python3
     children:
       devoeamanagerserverone:
         hosts:
           devo-ea-manager:
       deamintsrvs:
         hosts:
           devo-ea-manager:
       deaagentpackager:
         hosts:
           devo-ea-manager:
       selfsigenedcertificates: # Alternative providedcertificates
         hosts:
           devo-ea-manager:
       devoeaagents:
         hosts:

    

3. Save the changes and execute deam-packs playbook to update your EAM with the new pack:

   ansible-playbook -i <inventory_file> playbooks/deam-packs

    

4. Ensure the new pack appears in the EAM Packs tab.