EP Agent Install: Deploy and Verify Endpoint Agents

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Mar 23, 2020
Version 6Show Document
  • View in full screen mode
 

This section provides instruction on how to deploy and verify agents.

Note: By default, the agent is installed in the Insights mode. Depending on the policy assigned, the agent can operate in Insights or Advanced mode. Make sure you review the policy before deploying the agent. For more information, see NetWitness Endpoint Configuration Guide.

Deploying Agents (Windows)

To deploy the agent, run the nwe-agent-package.exe file on the hosts you want to monitor.

Verifying Windows Agents

After deploying the Windows agents, you can verify if a Windows agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Investigate > Hosts view contains the list of all hosts with an agent. You can look for the host name on which the agent is installed.

    Note: Click Investigate > Hosts or press F5 to refresh the list for latest data.

  • Using Task Manager

    Open Task Manager and look for service name that you configured while generating the agent packager on the host machine.

  • Using Services.msc

    Open Services.msc in run and look for NWEAgent.

Deploying Agent (Linux)

To deploy the agent, run the nwe-agent.rpm (for 32-bit) or nwe-agent(64-bit).rpm (for 64-bit) file on the hosts you want to monitor.

To run the command, open Terminal on the Linux machine and run the following command as root:

rpm -iv <installer file name>.rpm

For example, using the default installer file names, you could enter one of the following commands:

rpm -iv nwe-agent.i686.rpm (for i386 architecture)

rpm -iv nwe-agent.x86_64.rpm (for x84_64 architecture)

(Enter the administrator password when prompted.)

Note: To upgrade Linux agents, run rpm -U nwe-agent.i686.rpm or rpm -U nwe-agent.x86_64.rpm.

Verifying Linux Agents

After deploying the Linux agents, you can verify if a Linux agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Investigate > Hosts view contains the list of all hosts with an agent.

    Note: Click Investigate > Hosts or press F5 to refresh the list for latest data.

  • Using Command Line

    Run the following command to get the PID:

    pgrep nwe-agent

  • To check the NetWitness Endpoint version, run the following command:

    cat /opt/rsa/nwe-agent/config/nwe-agent.config | grep version

Deploying Agent (Mac)

To deploy the agent, run the nwe-agent.pkg file on the hosts you want to monitor.

Verifying Mac Agents

After deploying the Mac agents, you can verify if a Mac agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Investigate > Hosts view contains the list of all hosts with an agent.

    Note: Click Investigate > Hosts or press F5 to refresh the list for the latest data.

  • Using Activity Monitor

    Open Activity Monitor (/Applications/Utilities/Activity Monitor.app) and look for NWEAgent.

  • Using Command Line

    Run the following command to get the PID

    pgrep NWEAgent

  • To check the NetWitness Endpoint version, run the command:

    grep a /var/log/system.log | grep NWEAgent | grep Version

Configuring the Communication Between Endpoint Server and Endpoint Agents on Windows Vista, and 2008 Server

By default, the FIPS mode is enabled on the Endpoint Server, which means that agents installed on Windows Vista, and 2008 Server cannot communicate with the Endpoint server.

To resolve this, perform the following steps on the Endpoint Log Hybrid to disable the FIPS mode:

  1. Go to /etc/pki/tls/owb.cnf and edit the file to disable the FIPS mode.

    FIPS Disable

  2. Go to /etc/nginx/conf.d/nginx.conf and edit the file to comment the following lines:

    FIPS Disable

  3. Restart the Nginx server using the following command:

    systemctl restart nginx

Next Topic:Uninstall Agents
You are here
Table of Contents > Deploy and Verify Agents

Attachments

    Outcomes