Arctic Wolf Agent Troubleshooting

Updated Feb 22, 2024

Troubleshoot Arctic Wolf Agent

This information provides solutions for common Arctic Wolf® Agent issues.

Arctic Wolf is not receiving Agent data

Possible cause: Traffic to Arctic Wolf is not communicating over port 1514. If Agent is not able to reach Arctic Wolf over port 1514, Arctic Wolf does not receive security observations. This can result in Arctic Wolf having limited Agent endpoint visibility.

Resolution:

Agent Status is Degraded

Possible cause: In the Arctic Wolf Unified Portal, Agent may report these Degraded health status results:

Resolution:

See Arctic Wolf Agent components for more information about Wazuh.

Resources spike during an Agent scan

Possible cause: This is expected behavior. Agent causes CPU and memory usage spikes because vulnerability and benchmark scans are resource intensive. For example, it is normal to see 30% of a 2.5GHz single core CPU and 1GB of memory used.

Resolution: If an endpoint has resource requirements during certain times, schedule your scans accordingly.

Agent installation status is unknown on Linux

Possible cause: Verification checks were not done to make sure Arctic Wolf Agent was successful on Linux.

Resolution: See Verify that Arctic Wolf Agent is installed on Linux.

Verify that the Arctic Wolf Agent is installed on Linux

You can do some verification checks to make sure that Arctic Wolf Agent is installed on Linux.

Steps

  1. Verify that the Arctic Wolf Agent services are running.
  2. Verify that the customer.json file exists.
  3. Verify that the client.keys file exists.

Step 1: Verify that the Arctic Wolf Agent services are running

  1. Run these commands to determine the status of the services:
    service arcticwolfagent status
    service arcticwolfdesktop status
    service wazuh-agent status
  2. Check the status of the services, and then do one of these actions:
    • If all of the services are active — Arctic Wolf Agent is installed on Linux.
    • I one or more of the services are anything other than active — Save the command results for context.

Step 2: Verify that the customer.json file exists

  1. Navigate to /var/arcticwolfnetworks/agent/etc/customer.json, and then verify that the customer.json file exists:

    • If the customer.json file does not exist — Complete Arctic Wolf Agent Installation on Linux. If the reinstall fails, proceed to the next step.
    • If the customer.json file exists — Proceed to the next step.
  2. Open the customer.json file.

  3. Verify that the file contains these six fields:

    Note: The fields might be different.

    {   
        "customerUuid":"",
        "clientUuid": "",
        "registerDns": "prod-scout-reg.rootsoc.com",
        "manageDns": "example-manage.rootsoc.com",
        "serverDns": "example-server.rootsoc.com",
        "upgradeTime": "0001-01-01T00:00:00Z"
    }
  4. If the customer.json file contains:

  5. Run this command to confirm that you have internet connectivity:

    nc -vz prod-scout-reg.rootsoc.com 443

    Tip: If netcat (nc) is not automatically installed on your CentOS or Red Hat system, run yum install nmap-ncat to install it.

  6. Run this command to restart the Arctic Wolf Agent service:

    sudo service arcticwolfagent restart
  7. A few minutes after the Arctic Wolf Agent service restarts, check the status of it, and then do one of these actions:

Step 3: Verify that the client.keys file exists