Versions Compared

Old Version 139

changes.mady.by.user Emad Abualjazer

Saved on

compared with

New Version Current

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

...

Armor Service

Issue

Remediation

Logging

The filebeat logging agent is not installed.


Expand
titleStep 1: Verify the status of filebeat



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Send a support ticket

Insert excerpt
KB:Armor SupportKB:
Armor Support
nameCreate Support Ticket
nopaneltrue

Logging

The winlogbeat logging agent is not installed.

Note

This section only applies to Windows users.


Expand
titleStep 1: Verify the status of winlogbeat


DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts



Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Logging

Armor has not received a log in the past 4 hours.


Expand
titleStep 1: Check logging services



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Check connectivity

PortDestination
515/tcp



...

Armor Service

Issue

Remediation

Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Insert excerpt
KB:Armor SupportKB:
Armor Support
nameCreate Support Ticket
nopaneltrue

Malware Protection

Malware Protection is not installed or configured.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Check the components for the agent

Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM


Linux


Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM



Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager.



Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Malware Protection

Reboot is required for Malware Protection.


Expand
titleStep 1: Reboot your server

Step 1: Reboot your server


Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Armor Service

Issue

Remediation

IDS

IDS has not provided a heartbeat in the past 4 hours.

Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


IDS

IDS is installed but has not been configured.

Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

IDS

IDS is not installed or enabled.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


Windows


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Vulnerability Scanning

...

To remediate Vulnerability Scanning issues, please refer to thisĀ documentation.