Confirm Agent Configuration
1. From the Host Details page, confirm that the Agent has the syslog collection field set to Enabled.
Note that after enabling syslog collection, there may be a delay before the portal reflects the change. If you do not see it enabled after 30 minutes, please review the below.
- If this is not enabled, please enable it following the Configure Log Sources (Syslog (Local)) guide.
Confirm Agent is Listening
We want to confirm that the Huntress Agent is actually listening now that it's enabled. You can do this via netstat in command prompt or in Powershell to have easier-to-read output.
Netstat: You could use netstat to confirm on the endpoint. Elevate your command prompt and run netstat -naob
. The output shows process information that looks like this:
Powershell: Powershell gives you more filtering options and you can control the output. To do this, elevate to administrator privileges and run:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “Rio.exe”
Now we know it’s listening.....
2. Make sure that only the Huntress Agent is listening on port 514. If something else is listening on that port, the Agent won’t be able to bind properly and won’t get any data. You can do this by using this query:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “:514”
Confirm Data Flow
After the firewall has been configured, you can verify that the service has started receiving data. To confirm data is being sent from your firewall, open the correct Agent folder (C:\Program Files\Huntress\Rio\tmp) and look for a file with the prefix wbs_.
Additional Troubleshooting
If you think syslog is arriving at the Huntress Agent, but you don’t see this file being created, you can use Wireshark to confirm that the data is flowing to your machine. To do that, install Wireshark and select the appropriate interface, begin capturing data, and then apply this filter:
_ws.col.protocol == "Syslog"
The logs in Wireshark will only display syslog messages, so you can verify the port and protocol being used.
Comments
0 comments
Article is closed for comments.