The LevelBlue Agent script enables you to run several commands for the installed agent. Each operating system (OS) has its own script, but the commands function the same across all systems. To use the command script, locate and run the file listed in the following table and follow any additional instructions that are noted.
Note: The LevelBlue Agent is not configured to auto-update on its own. See LevelBlue Agent Auto-Update below for details on how to enable the auto-update feature.
| System | Script | Location | Notes |
|---|---|---|---|
| Microsoft Windows | alienvault-agent.ps1 | C:\Program Files\osquery | This is not part of the default Microsoft Windows path, so you must either use cd commands to point to the path, or input the path directly to run the script. |
| Linux | alienvault-agent.sh | /usr/bin | Opened from the command line. |
| Apple macOS | alienvault-agent.sh | /usr/local/bin | Opened in Terminal. |
LevelBlue Agent Commands
The following table contains the complete list of commands for the LevelBlue Agent script. The agent configuration, which includes information such as osquery data point checks and File integrity monitoring (FIM) paths, is checked and updated independently.
| Command | Explaination |
|---|---|
| start | Start the agent service. |
| stop | Stop the agent service. |
| restart | Restart the agent service. |
| update | Update the agent version. |
| enable-auto-update [time] |
Enable auto-update to check daily for new version. Time can optionally be designated for the check (24-hour format HH:MM). If no time is supplied, the daily check will occur between 09:00 and 17:00. |
| disable-auto-update | Disable agent auto-update. |
| force-update |
Reinstall the agent service with the newest version. (This reinstalls the agent even if you are running the most recent version.) |
| uninstall | Uninstall the agent. |
| version | Print the agent version number. |
| help | Print help. |
| config | Connect to the agent API server to print or download your agent configuration. |
| osqueryi |
Start an interactive osqueryi shell within your agent's configuration. (Typically used for prototyping and troubleshooting queries against your current configuration.) |
| report |
Print a report containing pertinent information regarding agent information, including whether the auto-update feature is active. (Contains version, platform information, host identification, and other information. This command is most useful for relaying information to LevelBlue Technical Support.) |
LevelBlue Agent Auto-Update
The LevelBlue Agent has an auto-update feature, but it's disabled by default. You can enable auto-update and specify a time to check for updates, then the agent will update automatically provided that your system is online at the time the update is scheduled and there are no local configurations preventing the scheduled task from being enacted.
Note: The auto-update feature only exists in agent version 20.07.0003.0301 and later. If you are on an earlier version of the agent, you need to manually update the agent to attain the auto-update feature.
The following procedure provides the steps for enabling the agent's auto-update function for each operating system (OS). You can use the agent script's report command to verify that the auto-update function is active.
Linux
To enable agent auto-updates on Linux
-
Run the following command from a bash shell:
alienvault-agent.sh enable-auto-update HH:MM
Entering the time (HH:MM) is optional and, if not entered, the system will check for an update between 09:00 and 17:00.
-
Verify that osquery is running in your Linux terminal.
Windows
To enable agent auto-updates on Windows
-
Run the following command from PowerShell as an admin:
C:\’Program Files’\osquery\alienvault-agent.ps1 enable-auto-update HH:MM
Entering the time (HH:MM) is optional and, if not entered, the system will check for an update between 09:00 and 17:00.
-
Verify that osquery is running in the Windows Task Manager.
macOS
To enable agent auto-updates on macOS
-
Run the following command from a bash shell:
alienvault-agent.sh enable-auto-update HH:MM
Entering the time (HH:MM) is optional and, if not entered, the system will check for an update between 09:00 and 17:00.
-
Verify that osquery is running in the macOS Activity Monitor.
When the LevelBlue Agent is updated, the installation process detects the presence of an existing osquery.flags file and uses its --specified_identifier flag for identification, thus maintaining the continuity.
Feedback