Here are some tips for troubleshooting your cloud agents.
I installed my agent and activated it, and the status is Initial Scan Complete and it’s not changing |
FIM events not getting transmitted to the Qualys Cloud Platform after agent restart or self-patch |
After installation you should see status shown for your agent (on the Agents tab) within a few minutes. If there's no status this means your agent has not been installed - it did not successfully connect to the cloud platform and register itself.
Common reasons why this happens:
- Agent host cannot reach the Qualys Cloud Platform (or the Qualys Private Cloud Platform if this applies to you) over HTTPS port 443. Check network access and be sure to allow the cloud platform URL listed in your account. Just go to Help > About for details.
- You need to configure a custom proxy. Select the agent operating system
below and we'll help you with the steps.
Windows Agent |
Linux/BSD/Unix
| MacOS Agent
We recommend you review the agent log
files where agent errors are reported in detail.
Tell me about agent log files | Tell
me about agent errors
Still need help? Please contact our Support team (select Help > Contact Support) and submit a ticket. Be sure to attach your agent log files to your ticket so we can help to resolve the issue.
You might see an agent error reported in the Cloud Agent UI after the agent has been successfully installed. This can happen if one of the actions performed by the agent fails and the agent was able to communicate this to the cloud platform.
We recommend you review the agent log
files where agent errors are reported in detail.
Tell me about agent log files | Tell
me about agent errors
Still need help? Please contact our Support team (select Help > Contact Support) and submit a ticket. Be sure to attach your agent log files to your ticket so we can help to resolve the issue.
The agent log file tracks all things that the agent does. This includes activities and events - if the agent can't reach the cloud platform it shows HTTP errors, when the agent stopped, when agent was shut down and much more.
Where can I find the log files?Where can I find the log files?
Log files are in:
C:\Program Data\Qualys\QualysAgent
On XP and Windows Server 2003, log files are in:
C:\Documents and Settings\All Users\Application Data\Qualys\QualysAgent
Log files are in:
/var/log/qualys/
Log files are in:
/var/opt/qualys/
What happens when the log file fills up?What happens when the log file fills up?
Windows Agent: When the file Log.txt fills up (it reaches 10 MB) it gets renamed and zipped to Archive.txt.7z (with the timestamp, for example, Archive.0910181046.txt.7z) and a new Log.txt is started. This process continues for 10 rotations.
Linux/BSD/Unix Agent: When the file qualys-cloud-agent.log fills up (it reaches 10 MB) it gets renamed to qualys-cloud-agent.1 and a new qualys-cloud-agent.log is started. This process continues for 5 rotations.
Mac Agent: When the file qualys-cloud-agent.log fills up (it reaches 10 MB) it gets renamed to qualys-cloud-agent.1 and a new qualys-cloud-agent.log is started. This process continues for 5 rotations.
Windows Agent - show me the files installedWindows Agent - show me the files installed
Program Files
The agent executables are installed here:
C:\Program Files (x86)\QualysAgent\Qualys
On Windows XP, the agent executables are installed here: C:\Program Files\QualysAgent\Qualys
Program Data
The agent manifest, configuration data, snapshot database and log files
are stored here:
C:\ProgramData\Qualys\QualysAgent\*
Have custom environment variables?
No worries, we’ll install the agent following the environmental settings
defined on your hosts.
Linux Agent - show me the files installedLinux Agent - show me the files installed
Files are installed in directories below:
/etc/init.d/qualys-cloud-agent
/etc/qualys/cloud-agent/qagent-log.conf
/usr/local/qualys/cloud-agent/Default_Config.db
/usr/local/qualys/cloud-agent/bin
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh
/usr/local/qualys/cloud-agent/lib/*
/usr/local/qualys/cloud-agent/manifests
/var/log/qualys/qualys-cloud-agent.log
BSD Agent - show me the files installedBSD Agent - show me the files installed
Files are installed in directories below:
/etc
/etc/rc.d
/etc/qualys
/etc/qualys/cloud-agent
/etc/qualys/cloud-agent/cert
/usr/local
/usr/local/qualys
/usr/local/qualys/cloud-agent
/usr/local/qualys/cloud-agent/bin
/usr/local/qualys/cloud-agent/lib
/var/log/qualys/qualys-cloud-agent.log
Unix Agent - show me the files installedUnix Agent - show me the files installed
Files are installed in directories below:
/etc/opt/qualys
/etc/opt/qualys/cloud-agent
/etc/opt/qualys/cloud-agent/cert
/etc/qualys
/opt/qualys
/opt/qualys/cloud-agent
/opt/qualys/cloud-agent/bin
/opt/qualys/cloud-agent/lib
/opt/qualys/cloud-agent/manifests
/opt/qualys/cloud-agent/setup
/var/opt/qualys
For agent version 1.6, files listed under /etc/opt/qualys/ are available at /etc/qualys/, and log files are available at /var/log/qualys.Type your drop-down text here.
MacOS Agent - show me the files installedMacOS Agent - show me the files installed
Files are installed in directories below:
/Applications/QualysCloudAgent.app
/Library/LaunchDaemons - includes plist file to launch daemon
Want a complete list of files? Just run this command:
pkgutil --only-files --files com.qualys.cloud.agent
You'll see Manifest/Vulnsigs listed under Asset Details > Agent Summary. This is where we'll show you the Vulnerability Signatures version currently in effect for your agent. Each Vulnsigs version (i.e. signature set) is associated with a unique manifest on the cloud agent platform.
In most cases there’s no reason for concern! You can expect a lag time before you see the Scan Complete agent status for the first time - this means an assessment for the host was performed by the cloud platform. After the first assessment the agent continuously sends uploads as soon as it finds changes to host metadata and assessments happen right away. Learn moreLearn more
The initial background upload of the baseline snapshot is sent up to the cloud platform for assessment and once this happens you'll see the Scan Complete status. This initial upload has minimal size (a few megabytes) and after that only deltas are uploaded in small chunks (a few kilobytes each). For the initial upload the agent collects comprehensive metadata about the target host. It collects things like network posture, OS, open ports, installed software, registry info, what patches are installed, environment variables, and metadata associated with files. The first scan takes some time - from 30 minutes to 2 hours using the default configuration - after that scans run instantly on the delta uploads.
If you suspend scanning (enable the "suspend data collection" option) in a configuration profile applied on an agent activated for FIM, and then assign a FIM monitoring profile to that agent, the FIM manifest does not get downloaded on the agent. The FIM manifest gets downloaded once you enable scanning on the agent.
Suspend scanning on all agents
The FIM process on the cloud agent host uses netlink to communicate with the audit system in order to get event notifications. For the FIM process to continuously function, it requires permanent access to netlink.
If any other process on the host (for example auditd) gets hold of netlink, the FIM process tries to establish access to netlink every ten minutes. The FIM process gets access to netlink only after the other process releases access to it.
Until the time the FIM process does not have access to netlink you may face some issues. For instance, if you have an agent running FIM successfully, and you restart the agent or the agent gets self-patched, upon restart the cloud platform may not receive FIM events for a while. This happens because the FIM rules do not get restored upon restart as the FIM process does not have access to netlink.
When you uninstall an agent the agent is removed from the Cloud Agent user interface and it no longer syncs asset data to the cloud platform. Later you can reinstall the agent if you want, using the same activation key or another key.
When you uninstall a cloud agent from the host itself using the uninstall utilities, the agent, its license usage, and scan results are still present in the Qualys subscription. In order to remove the agent’s host record, license, and scan results, use the Cloud Agent app user interface or Cloud Agent API to uninstall the agent.
Uninstalling the Agent from the host itself
How to Uninstall Windows Agent from the command line
Upgrading from El Capitan (10.11) to Sierra (10.12) will delete needed directories used by the agent, causing the agent to not start. Use the following commands to fix the directoryUse the following commands to fix the directory
1) mkdir /var/log/qualys
2) chmod 640 /var/log/qualys
3) if non-root: chown non-root.non-root-group /var/log/qualys
4) /Applications/QualysCloudAgent.app/Contents/MacOS/qagent_restart.sh
When editing an activation key you have the option to select "Apply changes to all the existing agents". If selected changes will be applied to all your agents and might take some time to reflect in your account. Learn moreLearn more
Things to know before applying changes to all agents
- Appliance changes may take several minutes
- We might need to reactivate agents based on module changes