Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Armor ServiceIssueRemediation
LoggingThe filebeat logging agent is not installed.
Expand
titleStep 1: Verify the status of filebeat

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleStep 2: Send a support ticket

Excerpt Include
ESLP:Create a support ticket (snippet)
ESLP:Create a support ticket (snippet)
nopaneltrue

Logging

The winlogbeat logging agent is not installed.

Note

This section only applies to Windows users.

Expand
titleStep 1: Verify the status of winlogbeat
DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

LoggingArmor has not received a log in the past 4 hours.
Expand
titleStep 1: Check logging services

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleStep 2: Check connectivity
PortDestination
515/tcp
  • 46.88.106.196  
    • (1a.log.armor.com)
  • 146.88.144.196  
    • (2a.log.armor.com)

...

Armor ServiceIssueRemediation
Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Excerpt Include
ESLP:Create a support ticket (snippet)
ESLP:Create a support ticket (snippet)
nopaneltrue

Malware Protection

Malware Protection is not installed or configured.

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Check the components for the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM
Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Malware Protection

Reboot is required for Malware Protection.

Expand
titleStep 1: Reboot your server
Step 1: Reboot your server
Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

Verify the URL endpointepsec.armor.com
Armor ServiceIssueRemediation
Vulnerability ScanningIf IR Agent is not installed
Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Vulnerability ScanningThe Vulnerability Scanning agent did not run during the most recent scan.
Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
  • endpoint.ingress.rapid7.com *
    • (United States)

  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Armor ServiceIssueRemediation
Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.

Expand
titleStep 1: Verify the status of the agent
DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
Linux
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URL telnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
Malware Protection

Malware Protection is not installed or configured.

Expand
titleStep 1: Verify the status of the agent
DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Check components for the agent
DescriptionCommandWindows
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls
AM.mode, IM.mode, IM.rules, DPI.mode, dpirules
Component.AM.mode: on
Component.FWDPI.dpiRules: 180
Component.FWDPI.mode: on-tap
Component.IM.mode: real-time
Component.IM.rules: 40
Linux
Expand
titleStep 5: Send a support ticket
Malware Protection

Reboot is required for Malware Protection.

Step 1: Reboot your server

Step 2: Open a support ticket

File Integirty Monitoring (FIM)FIM has not provided a heartbeat in the past 4 hours.
Expand
titleStep 1: Verify the status of the agent
DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
File Integirty Monitoring (FIM)FIM is installed but has not been configured.
Expand
titleStep 1: Verify the status of the agent
DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Check the components for Trend agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM
Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket
File Integirty Monitoring (FIM)FIM is not installed. Expand
titleStep 1: Verify the status of the agent
DescriptionCommandWindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommandWindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443 Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommandWindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
IDSIDS has not provided a heartbeat in the past 4 hours.
Expand
titleStep 1: Verify the status of the agent
DescriptionCommandWindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 1: Verify the status of the Trend agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Linux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommandWindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443 Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommandWindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
IDSIDS is installed but has not been configured. Expand
titleStep 1: Verify the status of the agent
DescriptionCommandWindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 1: Verify the status of the Trend agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Linux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommandWindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443 Expand
titleStep 3: Manually heartbeat the agent
DescriptionCommandWindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
IDSIDS is not installed or enabled.
Expand
titleStep 1: Verify the status of the agent
DescriptionCommandWindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 1: Verify the status of the Trend agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Linux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommandWindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the Trend agent
Windows
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket
LoggingThe filebeat logging agent is not installed.
Expand
titleStep 1: Verify the status of filebeat

For Windows:

Note

Windows uses both winlogbeat and filebeat.

DescriptionCommand to run in Powershell
Configurations are stored within C:\.armor\opt\ and then in the winlogbeat or filebeat directory:
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
Verify the operation of the logging servicesgsv -displayname winlogbeat,filebeat
Verify the operation of the logging service processesgps filebeat,winlogbeat
Confirm the configured log endpoinjtcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
Note

To review additional configurations, certificates, and service information, review a server's directory:

  • C:\.armor\opt\winlogbeat*
  • C:\.armor\opt\filebeat*

For Linux:

DescriptionCommand
Configurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml
Verify operation of the filebeat serviceps aux | grep filebeat
Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml
Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml
Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleStep 2: Send a support ticket
LoggingThe winlogbeat logging agent is not installed.
Expand
titleStep 1: Verify the status of winglogbeat
Note

Windows uses both winlogbeat and filebeat.

DescriptionCommand to run in Powershell
Configurations are stored within C:\.armor\opt\ and then in the winlogbeat or filebeat directory:
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
Verify the operation of the logging servicesgsv -displayname winlogbeat,filebeat
Verify the operation of the logging service processesgps filebeat,winlogbeat
Confirm the configured log endpoinjtcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
Note

To review additional configurations, certificates, and service information, review a server's directory:

  • C:\.armor\opt\winlogbeat*
  • C:\.armor\opt\filebeat*
Expand
titleStep 2: Send a support ticket
LoggingArmor has not received a log in the past 4 hours.
Expand
titleStep 1: Check logging services

add stuff hurr

Expand
titleStep 2: Check connectivity
PortDestination
515/tcp
  • 46.88.106.196  
    • (1a.log.armor.com)
  • 146.88.144.196  
    • (2a.log.armor.com)
Vulnerability ScanningIf IR Agent is not installed Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination443/tcp (IR Agent)endpoint.ingress.rapid7.com *(United States)
  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)
  • Note

    * The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

    Expand
    titleStep 3: Send a support ticket
    Vulnerability Scanning The Vulnerability Scanning agent did not run during the most recent scan.
    Expand
    titleStep 1: Verify the status of the agent
    Windows
    • IR Agent files are located within C:\Program Files\Rapid7
    • The IR Agent service name is "Rapid7 Insight Agent"
    Linux
    • IR Agent files are located within /opt/rapid7/ir_agent
    • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
    • Upgrade logs are one level above, within /opt/rapid7/upgrade*
    Expand
    titleStep 2: Check connectivity of the agent
    PortDestination443/tcp (IR Agent)endpoint.ingress.rapid7.com *(United States)
  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)
  • Note

    * The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

    Expand
    titleStep 3: Send a support ticket

    ...

    hiddentrue

    ...

    hiddentrue

    ...

    Remediation Step 1:

    Verify the status of the Trend agent

    ...

    If latest Trend heartbeat is > 4 hours old

    Make sure the Trend agent is on

    For Windows:

    ActionCommand in Powershell
    Verify operation of the Trend Micro service in Windows
    gsv -displayname *trend*
    Verify operation of the Trend Micro processes in Windows
    get-process "dsa", "notifier"
    Confirm the URL endpoint defined by the DSA
    & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
    Note

    There is also a coreServiceShell.exe process that represents the Trend Micro UI for a connected user session.

    Note
    If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

    For Linux:

    ActionCommand
    Verify operation of the Trend ds_agent service in Linux
    ps_axu | grep ds_agent
    Confirm the URL endpoint defined by the DSA
    /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
    Note
    If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

    ...

    Check connectivity

    Trend Micro Anti-Malware services utilize the following endpoints:

    Trend Micro ports utilize the following:

    • 4119/tcp, Trend Console, API
    • 4120/tcp, Trend DSM Heartbeat
    • 4122/tcp, Trend Relay

    Manually heartbeat the Trend agent

    For Windows:

    Code Block
    PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
    HTTP Status: 200 - OK
    Response:
    Manager contact has been scheduled to occur in the next few seconds.

    For Linux:

    Code Block
    /opt/ds_agent/dsa_control -m

    Open a support ticket

    ...

    If Anti-Malware is "On, matching module plug-in not found"

    Make sure the Trend agent is on

    For Windows:

    ActionCommand in Powershell
    Verify operation of the Trend Micro service in Windows
    gsv -displayname *trend*
    Verify operation of the Trend Micro processes in Windows
    get-process "dsa", "notifier"
    Confirm the URL endpoint defined by the DSA
    & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
    Note

    There is also a coreServiceShell.exe process that represents the Trend Micro UI for a connected user session.

    Note
    If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

    For Linux:

    ActionCommand
    Verify operation of the Trend ds_agent service in Linux
    ps_axu | grep ds_agent
    Confirm the URL endpoint defined by the DSA
    /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
    Note
    If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

    ...

    Check connectivity

    Trend Micro Anti-Malware services utilize the following endpoints:

    Trend Micro ports utilize the following:

    • 4119/tcp, Trend Console, API
    • 4120/tcp, Trend DSM Heartbeat
    • 4122/tcp, Trend Relay

    Manually heartbeat the Trend agent

    For Windows:

    Code Block
    PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
    HTTP Status: 200 - OK
    Response:
    Manager contact has been scheduled to occur in the next few seconds.

    For Linux

    Code Block
    /opt/ds_agent/dsa_control -m

    Open a support ticket

    ...

    If Anti-Malware is not "On"

    ...

    If Anti-Malware status is "Computer reboot required"

    ...

    FIM

    ...

    Make sure the Trend agent is on

    For Windows

    ActionCommand
    Verify operation of the Trend Micro service in Windows
    gsv -displayname *trend*
    Verify operation of the Trend Micro processes in Windows
    get-process "dsa", "notifier"
    Confirm the URL endpoint defined by the DSA
    & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

    For Linux

    ActionCommand
    Verify operation of the Trend ds_agent service in Linux
    ps_axu | grep ds_agent
    Confirm the URL endpoint defined by the DSA
    /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
    Note
    If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

    Check connectivity

    Trend Micro FIM services utilize the following endpoints:

    Trend Micro ports utilize the following: 

    • 4119/tcp, Trend Console, API
    • 4120/tcp, Trend DSM Heartbeat
    • 4122/tcp, Trend Relay

    Manually heartbeat the Trend agent

    For Windows

    Code Block
    PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
    HTTP Status: 200 - OK
    Response:
    Manager contact has been scheduled to occur in the next few seconds.

    For Linux

    Code Block
    /opt/ds_agent/dsa_control -m

    Open a support ticket

    ...


    ...