サポートと今すぐチャット
サポートとのチャット

Foglight Agent Manager 7.3.0 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Agent Manager service can't start automatically when the operating system restarts

When the Agent Manager service is running in the following platforms, it might not be able to start automatically when the operating system restarts.

Operating system platform
Operating system version

CentOS Linux

8.0

8.1

8.2

Red Hat Linux

8.1

8.2

Oracle Linux

8.0

8.1

8.2

SLES Linux

15

15 SP1

15 SP2

To fix this issue, follow the instructions provided below:

Use the ausearch utility to check the Access Vector Cache (AVC) messages and see if SELinux denies any of the FglAM actions:

# ausearch -m AVC,USER_AVC -ts today
time->Wed Nov 4 11:18:11 2020 type=AVC msg=audit(1604459891.164:117): avc: denied { open } for pid=1311 comm="fglam" path="/root/ 5981fips/jre/1.8.0.265/jre/lib/jce.jar" dev="dm-0" ino=11429653 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1

The -m option specifies what kind of information ausearch returns. The -ts option specifies the time stamp. For example, -ts today returns messages from the whole day.
If any FglAM action has been denied, there are two options to fix the issue:
Disable SELinux service.
If you don’t want to disable SELinux, do the following:
a
Open the /etc/selinux/config file and change SELinux mode to permissive. Using permissive mode will force SELinux to accept all FglAM actions. SELinux will log all the denials regarding to FglAM actions that would have been denied in enforcing mode, by identifying them one at a time as the FglAM gets permissions granted individually.
b
Restart FglAM machine.
c
Ensure FglAM service starts automatically. Then try all of the functions that FglAM and agents would perform, such as deploying agent gars, creating agent instances, releasing lockbox to FglAM, and so on. Therefore, it will reveal all the FglAM actions that would have been denied by SELinux if running in enforcing mode.
d
Use the 'journalctl -t setroubleshoot --since= [time]' utility to view more information about the AVC message:
# journalctl -t setroubleshoot --since=11:18
– Logs begin at Tue 2020-11-03 10:37:14 CST, end at Wed 2020-11-04 11:19:27 CST. – Nov 04 11:18:30 centos82-s1 setroubleshoot[1416]: SELinux is preventing quest-fglam from execute access on the file fglam. For complete SELinux messages run: sealert -l 06149362-e530-4f52-a081-53751a98eab7 Replace [time] with the machine restart time.
e
Use the 'sealert -l [AVC message ID]' utility to further inspect the AVC message:
# sealert -l 06149362-e530-4f52-a081-53751a98eab7
SELinux is preventing quest-fglam from execute access on the file fglam.
***** Plugin catchall (100. confidence) suggests****
If you believe that quest-fglam should be allowed execute access on the fglam file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
# ausearch -c 'quest-fglam' --raw | audit2allow -M my-questfglam
# semodule -X 300 -i my-questfglam.pp
[trimmed for clarity]
f
Perform actions according to suggestions provided in Step e.
g
Repeat Step e to Step f for all FglAM action denials AVC messages found in Step d.
h
Restore SELinux to enforcing mode and restart FglAM machine.
i
Check if there are still denials about FglAM actions. If yes, repeat Step a to Step i until no denials to FglAM actions are found.
If it is not caused by SELinux, perform below command to check if it works.
systemctl enable quest-fglam.service
If it doesn’t work, fix the issue according to the error. For example, it may report below error, which instructs to install the tool insserv first and then run above command again to fix this issue.
Executing: /usr/lib/systemd/systemd-sysv-install enable quest-fglam
/sbin/insserv: No such file or directory

SSH IPv6 connection support

Starting with the Foglight Agent Manager version 5.9.1, the SSH connection with unique local IPv6 Address and link-local IPv6 Address is supported on the Agent Manager running on Windows and Linux.

About supported remote monitoring protocols

The Agent Manager supports the SSH (secure shell) protocol for remote monitoring of hosts running Linux® and UNIX® operating systems. SSH is a protocol which encrypts all traffic between the client and the server, and supports a wide variety of secure authentication mechanisms. SSH is available for installation on all platforms supported for remote monitoring by Foglight.

The Agent Manager does not support the older Telnet protocol for remote monitoring. Telnet is an insecure protocol which does not encrypt traffic, and requires that the passwords used to authenticate collections are sent in the clear. For that reason, supporting Telnet as a remote monitoring protocol potentially exposes monitored systems to trivial network eavesdropping attacks, disclosing passwords to attackers.

While it is possible to create a closed network with strong security boundaries within which it is safe to run the Telnet protocol, this use case is not common, and it is impossible for the Agent Manager to determine if Telnet is safe to use before offering it as an option for connectivity. Further, the effort required on the part of the user to maintain such a secure environment is far less than that required to simply enable SSH connections on a host. For these reasons, the Agent Manager does not support Telnet as a remote monitoring protocol.

Configuring the Agent Manager to run as a daemon

As described in Installing the Agent Manager using the installer interface and Installing the Agent Manager from the command line , you can install an init.d-style script called quest-fglam in the init.d directory on your system. This script is called when the host on which the Agent Manager is installed starts or shuts down, allowing it to run as a daemon.

Even if you choose not to install the init.d script during the installation, or if you do not perform the installation as the root user, the installer generates scripts that can perform the necessary setup.

These scripts are fglam-init-script-installer.sh and fglam-init-script.sh, and they are located in the <fglam_home>/state/default/ directory.

The script fglam-init-script-installer.sh installs the script fglam-init-script.sh into your system’s init.d directory as quest-fglam. Your system’s init.d process then uses quest-fglam to run the Agent Manager as a daemon.

To install the init.d script:
1
Launch a command shell on the Agent Manager machine and navigate to the <fglam_home>/state/default/ directory.
2
Optional. If you want to make any edits to fglam-init-script.sh to customize it for your system, do so prior to running fglam-init-script-installer.sh.
 
* 
IMPORTANT: Any customizations that you make to the script fglam-init-script.sh are not supported by Quest Software Inc..
3
Switch to the root user.
4
From the command shell, run the script fglam-init-script-installer.sh with the install option:
./fglam-init-script-installer.sh install
 
* 
IMPORTANT: This script must be run as root.
The setup script fglam-init-script-installer.sh installs the init.d script quest-fglam. See Locating the init.d script for the location in which it is installed.
5
To start or stop the Agent Manager daemon manually, follow the instructions in To run the Agent Manager as a daemon on UNIX®: .

To remove the init.d script, follow the instructions in To remove the init.d script used to run the Agent Manager as a daemon on UNIX®: .

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択