Configuring the embedded Agent Manager
Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server
Deploying the Agent Manager cartridge
Downloading the Agent Manager installer
Installing the Agent Manager
Configuring the Agent Manager
Installing the Agent Manager using the installer interface
Installing the Agent Manager from the command line
Using the Agent Manager silent installer
Installing the Agent Manager as a Windows service
Starting or stopping the Agent Manager process
Frequently asked questions
How do I upgrade the Agent Manager?
How do I uninstall the Agent Manager?
Where can I find the Agent Manager installation log files?
Why does the message "Created system preferences directory in java.home" appear after I finish installing the Agent Manager on AIX?
Are the passwords that are stored in the configuration file, fglam.config.xml, encrypted?
How can I see what parameters are available for the silent installers?
Why are two URLs displayed for localhost when I search for HA peers?
I tested the connection between the Agent Manager and a Management Server, but the Management Server URL failed the connectivity test. Why did this happen?
When I try to install the Agent Manager using the installer interface on Solaris x86 VMware, it fails and a warning message related to fonts appears. Why does this occur?
Why does an AIX compatibility warning appear when I run the Agent Manager installer?
Operating system patches
Launching the Agent Manager installation interface
Configuring the Agent Manager to run in FIPS-compliant mode
Configuring the Agent Manager from the command line
Configuring the Agent Manager to use SSL certificates
Configuring an Agent Manager instance as a Concentrator
Advanced system configuration and troubleshooting
Configuring the concentrator
Configuring downstream Instances
Creating a secure connection with downstream instances
Excluding SSL ciphers from upstream or downstream Connections
Excluding Specific SSL Protocols from Downstream Connections
Configuring the Agent Manager to accept connections from the Management Server
Configuring the Agent Manager to execute commands on remote hosts
Configuring multiple Agent Manager instances
Controlling the polling rate
Configuring the Agent Manager to work in HA mode
Assigning Agent Managers to HA partitions
Adding cartridges to the HA deployment whitelist
About agent fail-over
About non-HA deployments
Negotiating Agent Manager resources at runtime
Configuring credentials
Configuring anti-virus exclusion settings
Troubleshooting
Configuring Windows Management Instrumentation (WMI)
Monitoring the Agent Manager performance
WMI IPv6 connection support
Windows Firewall interference
Minimum requirements for Windows Management Instrumentation
Configuring Windows Remote Management (WinRM)
Promoting remote users to administrators on local machines through the Domain Controller
Granting required permissions to individual remote users
WMI access violation and OS connectivity verification failure
WMI and Quota Violation error
Known WMI issues in Windows Server 2008
Tuning WMI connections
Modifying registry key ownership on Windows Server 2008 R2
Configuring registry settings for Windows Server 2008 R2 and Windows 7
Resolving Access Denied errors when connecting to Windows XP Professional
OS collection fails with a Local_Limit_Exceeded error
Access to DCOM objects and registry is denied
Configuring registry settings for WinShell access through DCOM
Permissions on registry keys to configure DCOM command shell connection
Enabling agents to connect from UNIX machines
Enabling agents to connect locally on Windows
Releasing a locked MySQL process
WinRM IPv6 connection support
About WinRM authentication and the Agent Manager
Configuring the target (monitored) system
Configuring the Agent Manager (monitoring) system
Generating a configuration file required for WinRM Negotiate authentication
Configuring command-shell connection settings
About WinRM connection ports
Troubleshooting
UNIX- and Linux-specific configuration
SSH IPv6 connection support
About supported remote monitoring protocols
Configuring the Agent Manager to run as a daemon
Configuring Agent Manager agent privileges
Using sudo to configure secure launcher permissions
Using setuid_launcher to configure secure launcher permissions
Using the HP patch checking tool
About Agent Manager installations on AIX
Preventing Agent Manager core dumps on Linux
Investigating Agent Manager diagnostics
Deploying the Agent Manager to large-scale environments
Using Agent Manager silent installer Parameters
Example: Deploying the Agent Manager to multiple UNIX hosts
Example: Deploying the Agent Manager to multiple Windows hosts
Next steps
Configuring Agent Manager agent privileges
On UNIX® systems, certain Foglight® agents require elevated privileges in order to gather the required system metrics. This is achieved by having the Agent Manager launch these agents with root privileges.
To give these agents the required access, the Agent Manager is configured to launch these agents using an external application like sudo, setuid_launcher, or any other tool that allows privilege escalation (without a password) and supports the same command‑line semantics as sudo.
|
NOTE: The tool setuid_launcher is included with the Agent Manager, in the <fglam_home>/bin/setuid_launcher directory. |
Instructions for using sudo and setuid_launcher to give these agents the necessary privileges are provided below.
|
NOTE: Certain agents that require root privileges to gather a more complete set of system metrics are able to function without these privileges. See the Managing Operating Systems User Guide for more information.
The agent does not collect as much data as when it is run with root privileges. |
Using sudo to configure secure launcher permissions
Using sudo to configure secure launcher permissions
This section contains instructions for using sudo to give agents elevated permissions.
|
1 |
|
2 |
|
3 |
Set the path to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer). |
|
4 |
|
5 |
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to be run as root by a specific user, without requiring a password, and only for the agents that require root privileges. |
For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:
|
6 |
Ensure that the requiretty option is disabled in the sudoers file. For example, to disable this option for the foglight user, add the following entry to the file: |
|
7 |
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password. |
For detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents, see the Foglight for Infrastructure User and Reference Guide.
|
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:
http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents. |
If these permissions are no longer needed, remove the lines that you added to run fog4_launcher or udp2icmp with root permissions.
|
1 |
Navigate to <fglam_home>/state/default/config. |
|
2 |
Open the fglam.config.xml file for editing. |
|
3 |
Edit the <config:path> element under <config:secure-launcher> to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer). |
|
4 |
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to run as root by a specific user, without requiring a password, and only for the agents that require root privileges. |
For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:
|
5 |
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password. |
See the Managing Operating Systems User Guide for detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents.
|
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:
http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents. |
Using setuid_launcher to configure secure launcher permissions
Using setuid_launcher to configure secure launcher permissions
This section contains instructions for using setuid_launcher to give agents elevated permissions.
|
1 |
|
3 |
Set the path to point to the setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher. |
|
4 |
|
5 |
|
6 |
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password. |
If these permissions are no longer needed, issue the following command:
chmod u-s <fglam_home>/bin/setuid_launcher
|
1 |
Navigate to <fglam_home>/state/default/config. |
|
2 |
Open the fglam.config.xml file for editing. |
|
3 |
Edit the <config:path> element under <config:secure-launcher> to point to your local setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher. |
|
4 |
|
5 |
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password. |
Using the HP patch checking tool
If your database is installed on an HP-UX server, HP® provides a tool for ensuring that all the patches required to run JavaTM on HP-UX are installed.