Document toolboxDocument toolbox

.Operational guidelines vv7.0.8

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jul 02, 2021
3 min read

This document is intended to help Universal Agent users perform the most common operations, maintenance and troubleshooting actions with the product outside of those that can be performed directly in the UAM UI. Check the DUAM manual for specific information for the usage of the web UI.

UA Manager operations

Start/Stop UA Manager

To stop the service:

sudo systemctl stop devo-ua-manager

To start the service:

sudo systemctl start devo-ua-manager

To check the status of the service

sudo systemctl status devo-ua-manager

Check UA Manager logs

To check the logs that the manager is writing to the disk, run:

sudo journalctl -u devo-ua-manager

To see the logs flowing in real-time:

sudo journalctl -fu devo-ua-manager

Change configurations

There are several types of configurations that can be changed in the Devo Universal Agent product. Each of these configurations have a different way to be applied. 

Change UA Manager options

Options related to the way that UA Manager behaves. They should not be changed unless you have the expertise and know exactly how your changes are going to affect the platform.

To make a change follow these steps:

  • Edit the file /etc/devo-ua-manager/devo-ua-manager.
  • Change/add the parameter you are looking to modify.
  • Restart UA Manager service.

Change centralized options for UA client

Options related to the way UA Client behaves. The configuration is centralized in the UA Manager and then pulled from every endpoint periodically.

To make changes in the configuration file, follow the process below in Redeploy default options/packs.

Change shell only flags at packaging time

Options related to the way the UA Client behaves are not centralized. These flags are used by the UA client at boot time and need to live in a file in the endpoint. These flags are stored in the file osquery.flags in the UA Client installation folder.

The flags can be modified manually client by client for testing purposes. To make configurations in the flags that will be available for download in the manager, follow the process below in Repackage UA Client.

Redeploy default options / packs 

  • To make changes in the configurations, update the file $HOME/devo-ua-deployer/playbooks/roles/duam-packs/files/devo-packs/options.yaml.
  • To make changes in the default packs, so the changes persist in successive deployments, modify the corresponding file inside $HOME/devo-ua-deployer/playbooks/roles/duam-packs/files/devo-packs/.
  • Once modifications are done, re-deploy the duam-packs role playbook by running:

ansible-playbook -i inventories/<your_inventory>.yaml playbooks/duam-packs.yaml

Redeploying the duam-packs role deploys both the options and the packs. If you made changes to the default packs delivered with the Devo UA, the changes will be overwritten. Other packs will not be affected.

Repackage UA Client

  • Make your changes in the osquery.flags file in $HOME/devo-ua-deployer/playbooks/roles/dua-agent-packager/templates/<platformOS>.
  • Re-package the clients using: ansible-playbook -i inventories/<your_inventory>.yaml playbooks/dua-agent-packager.yaml.
  • Access https://<DUAM_IP>:8081/ The new agents should be available from download.

Add new log files to be parsed by the UA Client (Files Fetcher)

The Universal Agent includes the ability to parse flat log files and uploading them to Devo. Only a handful of files are configured by default, so to add new logs to the processing list, have a look at the configuration options of File Fetcher. Once your changes to the configuration file are ready, deploy them by following the redeploy procedure.

Add new Windows Event Channels to be available to the UA Client

Windows event log capturing is supported in Devo Universal Agent. However, due to the huge amount of channels in where Windows OS stores the event logs, only some of them are configured by default as a comma-separated list under the tag all->overrides->patform->windows->options in $HOME/devo-ua-deployer/playbooks/roles/duam-packs/files/devo-packs/options.yaml.


In order to add a new channel, add the full name of the event channel that you want to add in windows_event_channels.

To know what is the Full Name of an event log channel:

  • Open the Event Viewer.
  • Navigate to the channel that you want to capture.
  • Right-click on it and copy the Full Name field.

UA Client operations

Start/Stop UA Client

Windows

Stop the service:

Stop-Service -Force -Name "osqueryd"

Start the service:

Start-Service -Force -Name "osqueryd"

Linux

Stop the service:

sudo systemctl stop osqueryd

Start the service:

sudo systemctl start osqueryd

macOS

Stop the service:

sudo osqueryctl stop

Start the service:

sudo osqueryctl start