The AlienVault Agent Script and Agent Updates

The AlienVault Agent script enables you to run several commands for the installed agent. Each operating system (OS) has its own script, but the commands function the same across all systems. To use the command script, locate and run the file listed in the following table and follow any additional instructions that are noted.

Note: The AlienVault Agent is not configured to auto-update on its own. See AlienVault Agent Auto-Update below for details on how to enable the auto-update feature.

Location and Notes for the AlienVault Agent Script
System Script Location Notes
Microsoft Windows alienvault-agent.ps1 C:\Program Files\osquery This is not part of the default Microsoft Windows path, so you must either use cd commands to point to the path, or input the path directly to run the script.
Linux /usr/bin Opened from the command line.
Apple macOS /usr/local/bin Opened in Terminal.

AlienVault Agent Commands

The following table contains the complete list of commands for the AlienVault Agent script. The agent configuration, which includes information such as osquery data point checks and File integrity monitoring (FIM) paths, is checked and updated independently.

Commands Available for the AlienVault Agent Script

Command Explaination
start Start the agent service.
stop Stop the agent service.
restart Restart the agent service.
update Update the agent version.
enable-auto-update [time]

Enable auto-update to check daily for new version.

Time can optionally be designated for the check (24-hour format HH:MM).

If no time is supplied, the daily check will occur between 09:00 and 17:00.

disable-auto-update Disable agent auto-update.

Reinstall the agent service with the newest version.

(This reinstalls the agent even if you are running the most recent version.)

uninstall Uninstall the agent.
version Print the agent version number.
help Print help.
config Connect to the agent API server to print or download your agent configuration.

Start an interactive osqueryi shell within your agent's configuration.

(Typically used for prototyping and troubleshooting queries against your current configuration.)


Print a report containing pertinent information regarding agent information, including whether the auto-update feature is active.

(Contains version, platform information, host identification, and other information. This command is most useful for relaying information to AT&T Cybersecurity Technical Support.)

AlienVault Agent Auto-Update

The AlienVault Agent has an auto-update feature, but it's disabled by default. You can enable auto-update and specify a time to check for updates, then the agent will update automatically provided that your system is online at the time the update is scheduled and there are no local configurations preventing the scheduled task from being enacted.

Note: The auto-update feature only exists in agent version 20.07.0003.0301 and later. If you are on an earlier version of the agent, you need to manually update the agent to attain the auto-update feature.

The following procedure provides the steps for enabling the agent's auto-update function for each operating system (OS). You can use the agent script's report command to verify that the auto-update function is active.

When the AlienVault Agent is updated, the installation process detects the presence of an existing osquery.flags file and uses its --specified_identifier flag for identification, thus maintaining the continuity.