Topics Discussed
...
| Expand |
|---|
| title | Issue: The filebeat logging agent is not installed. |
|---|
|
| Description | Command | Extra information |
|---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
|
|---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
|
|---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
|
|---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
|
|
|---|
|
|
|
|
|---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/*.yml
|
|
|---|
| Verify the operation of the filebeat service | ps aux | grep filebeat
|
|
|---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat.yml
|
|
|---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat.yml
|
|
|---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat.yml
|
|
|---|
|
| Expand |
|---|
| title | Issue: The winlogbeat logging agent is not installed. |
|---|
|
Step 1: Verify the status of filebeat | Note |
|---|
This section only applies to Windows users. |
Description | Command | Extra Information |
|---|
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
| |
|
| Expand |
|---|
| title | Issue: Armor has not received a log in the past 4 hours. |
|---|
|
Step 1: Check Logging Services
| Description | Command | Extra information |
|---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
|
|---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
|
|---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
|
|---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
|
|
|---|
|
|
|
|
|---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/*.yml
|
|
|---|
| Verify the operation of the filebeat service | ps aux | grep filebeat
|
|
|---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat.yml
|
|
|---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat.yml
|
|
|---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat.yml
|
|
|---|
Step 2: Check Connectivity Port | Destination |
|---|
515/tcp | 46.88.106.196 146.88.144.196
|
|
Malware Protection
| Expand |
|---|
| title | Issue: Malware Protection has not provided a heartbeat in the past 4 hours |
|---|
|
Step 1: Verify the status of the agent
| Description | Command |
|---|
Windows | Verify that the service is running | gsv -displayname *trend* |
|---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
|---|
Step 2: Check the connectivity of the agent
| Description | Command |
|---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
|---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
|---|
|
|
|
|---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
|---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
|---|
Step 3: Manually heartbeat the agent
| Description | Command |
|---|
Windows | Verify a 200 response |
| Code Block |
|---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
|---|
Linux | Verify a 200 response |
| Code Block |
|---|
/opt/ds_agent/dsa_control -m |
|
|---|
|
...
| Expand |
|---|
| title | Issue: Malware Protection is not installed or configured |
|---|
|
Step 1: Verify the status of the agent
| Description | Command |
|---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
|---|
Windows | Verify that the service is running | gsv -displayname *trend* |
|---|
Step 2: Check the connectivity of the agent
| Description | Command |
|---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
|---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
|---|
|
|
|
|---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
|---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
|---|
Step 3: Manually heartbeat the agent
| Description | Command |
|---|
Windows | Verify a 200 response |
| Code Block |
|---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
|---|
Linux | Verify a 200 response |
| Code Block |
|---|
/opt/ds_agent/dsa_control -m |
|
|---|
Step 4: Check the components for the agent Windows |
| Code Block |
|---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM |
|
|---|
Linux |
| Code Block |
|---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM |
|
|---|
| Note |
|---|
Component.AM.mode describes if the Malware Protection module is installed. Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
| Expand |
|---|
| title | Issue: Reboot is required for Malware Protection |
|---|
|
Step 1: Reboot your server |
File Integrity Monitoring (FIM)
...
| Expand |
|---|
| title | Issue: FIM is installed but has not been configured |
|---|
|
Step 1: Verify the status of the agent Windows | Verify that the service is running | gsv -displayname *trend* |
|---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
|---|
Step 2: Check the connectivity of the agent
| Description | Command |
|---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
|---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
|---|
|
|
|
|---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
|---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
|---|
Step 3: Manually heartbeat the agent
| Description | Command |
|---|
Windows | Verify a 200 response |
| Code Block |
|---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
|---|
Linux | Verify a 200 response |
| Code Block |
|---|
/opt/ds_agent/dsa_control -m |
|
|---|
Step 4: Check the components for the agent Windows |
| Code Block |
|---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM |
|
|---|
Linux |
| Code Block |
|---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM |
|
|---|
| Note |
|---|
Component.IM.mode describes if the FIM module is installed. Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
| Expand |
|---|
| title | Issue: FIM is not installed |
|---|
|
Step 1: Verify the status of the agent
| Description | Command |
|---|
Windows | Verify that the service is running | gsv -displayname *trend* |
|---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
|---|
Step 2: Check the connectivity of the agent
| Description | Command |
|---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
|---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
|---|
|
|
|
|---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
|---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
|---|
Step 3: Manually heartbeat the agent
| Description | Command |
|---|
Windows | Verify a 200 response |
| Code Block |
|---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
|---|
Linux | Verify a 200 response |
| Code Block |
|---|
/opt/ds_agent/dsa_control -m |
|
|---|
|
...
| Anchor |
|---|
| Export Protection screen data |
|---|
| Export Protection screen data |
|---|
|
Export Protection Screen Data
...
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Protection.
(Optional) Use the search bar to customize the data displayed.
Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).
Column | Description |
|---|
Column | Description |
Asset Name | This column display the name of the virtual machine (or instance). |
Location | This column displays the data center location for for the virtual machine (or instance). |
Service | For Armor's private cloud, the Protection scores focuses on the following services: |
Malware Protection |
FIM |
Filebeat (for Linux) |
Winlogbeat (for Windows) |
|
For Armor Anywhere, the Protection scores focuses on the following services: |
|
Malware Protection |
FIM |
IDS |
Filebeat (for Linux) |
Winlogbeat (for Windows) |
Vulnerability Scanning |
Status | This column displays the security status of the virtual machine (or instance), which can be: |
Warning |
Needs Attention |
OK |
Message | This column displays a brief message to explain the reason for the Warning or Needs Attention status. |