Document toolboxDocument toolbox

Enable the AgentMonitoringPack

Owned by Former user (Deleted)
Last updated: Nov 02, 2023 by Juan Tomás Alonso Nieto (Deactivated)
3 min read

Overview

The AgentMonitoringPack is a new pack that helps with problematic scenarios where the agent is not working as expected, such as slower-than-usual performance or missing events. It retrieves information from several internal osquery tables over time so as to help troubleshoot and determine the cause of the problems.

This pack sends the data to devo.ea.agent.<source> root data structure, here you can check all data tables under this root data structure.

Configuration

To enable this pack you need to create a new pack with the same queries. Follow the steps below:

  1. Add a new file called agent_monitoring.yaml in playbooks/roles/deam-packs/files/optional-devo-packs directory (relative to the path where Devo EA Manager was extracted) with the following content:

    --- apiVersion: v1 kind: pack spec: name: DevoAgentMonitoringPack queries: - description: Information about the event publishers and subscribers. platform: all interval: 60 name: devo_osquery_events query: devo_osquery_events snapshot: true - description: List of active osquery extensions. platform: all interval: 300 name: devo_osquery_extensions query: devo_osquery_extensions snapshot: true - description: Configurable flags that modify osquery's behavior. platform: all interval: 900 name: devo_osquery_flags query: devo_osquery_flags snapshot: true - description: Top level information about the running version of osquery. platform: all interval: 3600 name: devo_osquery_info query: devo_osquery_info snapshot: true - description: Information about the current query packs that are loaded in osquery. platform: all interval: 900 name: devo_osquery_packs query: devo_osquery_packs snapshot: true - description: List the osquery registry plugins. platform: all interval: 300 name: devo_osquery_registry query: devo_osquery_registry snapshot: true - description: Information about the current queries that are scheduled in osquery. platform: all interval: 60 name: devo_osquery_schedule query: devo_osquery_schedule snapshot: true targets: labels: - All Hosts --- apiVersion: v1 kind: query spec: name: devo_osquery_events description: Information about the event publishers and subscribers. query: SELECT *, "devo.ea.agent.events_pubsub" AS __devoTag FROM osquery_events; --- apiVersion: v1 kind: query spec: name: devo_osquery_extensions description: List of active osquery extensions. query: SELECT *, "devo.ea.agent.extensions" AS __devoTag FROM osquery_extensions; --- apiVersion: v1 kind: query spec: name: devo_osquery_flags description: Configurable flags that modify osquery's behavior. query: SELECT *, "devo.ea.agent.flags" AS __devoTag FROM osquery_flags; --- apiVersion: v1 kind: query spec: name: devo_osquery_info description: Top level information about the running version of osquery. query: SELECT *, "devo.ea.agent.info" AS __devoTag FROM osquery_info; --- apiVersion: v1 kind: query spec: name: devo_osquery_packs description: Information about the current query packs that are loaded in osquery. query: SELECT *, "devo.ea.agent.packs" AS __devoTag FROM osquery_packs; --- apiVersion: v1 kind: query spec: name: devo_osquery_registry description: List the osquery registry plugins. query: SELECT *, "devo.ea.agent.registry" AS __devoTag FROM osquery_registry; --- apiVersion: v1 kind: query spec: name: devo_osquery_schedule description: Information about the current queries that are scheduled in osquery. query: SELECT *, "devo.ea.agent.schedule" AS __devoTag FROM osquery_schedule;

     

  2. Save the changes and add the new pack to the inventory file you used for your deployment as in the following code snippet (line 12):

    all: vars: deam_fqdnname: devo-ea-manager deam_admin_passwd: <deam_admin_passwd> dea_ap_repo_passwd: <dea_ap_repo_passwd> deam_redis_address: localhost:6379 deam_mysql_address: localhost:3306 deam_relay_entrypoint: tcp://collector-us.devo.io:443 deam_packs_enabled: - configuration.yaml - fetchfiles.yaml - agent_monitoring.yaml # New pack hosts: devo-ea-manager: # Set ansible_host your public ip used to conncet from ansbile and devo-ea agents ansible_host: <EAM host IP> ansible_user: <Server user> ansible_ssh_pass: <Super Secure Password> # Only required if you connect with password ansible_ssh_common_args: '-o StrictHostKeyChecking=no' # python3 required for Ubuntu 18 ansible-playbooks ansible_python_interpreter: /usr/bin/python3 children: devoeamanagerserverone: hosts: devo-ea-manager: deamintsrvs: hosts: devo-ea-manager: deaagentpackager: hosts: devo-ea-manager: selfsigenedcertificates: # Alternative providedcertificates hosts: devo-ea-manager: devoeaagents: hosts:

     

  3. Save the changes and execute deam-packs playbook to update your EAM with the new pack:

    ansible-playbook -i <inventory_file> playbooks/deam-packs

     

  4. Ensure the new pack appears in the EAM Packs tab.