Here are some tips for troubleshooting your cloud agents.
I installed my agent and activated it, and the status is Initial Scan Complete and it’s not changing |
FIM events not getting transmitted to the Qualys Cloud Platform after agent restart or self-patch |
After installation you should see status shown for your agent (on the Agents tab) within a few minutes. If there's no status this means your agent has not been installed - it did not successfully connect to the cloud platform and register itself.
Common reasons why this happens:
- Agent host cannot reach the Qualys Cloud Platform (or the Qualys Private Cloud Platform if this applies to you) over HTTPS port 443. Check network access and be sure to whitelist the cloud platform URL listed in your account. Just go to Help > About for details.
- You need to configure a custom proxy. Select the agent operating system
below and we'll help you with the steps.
Windows Agent |
Linux/BSD/Unix
| Mac Agent
We recommend you review the agent log
files where agent errors are reported in detail.
Tell me about agent log files | Tell
me about agent errors
Still need help? Please contact our Support team (select Help > Contact Support) and submit a ticket. Be sure to attach your agent log files to your ticket so we can help to resolve the issue.
You might see an agent error reported in the Cloud Agent UI after the agent has been successfully installed. This can happen if one of the actions performed by the agent fails and the agent was able to communicate this to the cloud platform.
We recommend you review the agent log
files where agent errors are reported in detail.
Tell me about agent log files | Tell
me about agent errors
Still need help? Please contact our Support team (select Help > Contact Support) and submit a ticket. Be sure to attach your agent log files to your ticket so we can help to resolve the issue.
The agent log file tracks all things that the agent does. This includes activities and events - if the agent can't reach the cloud platform it shows HTTP errors, when the agent stopped, when agent was shut down and much more.
Where can I find the log files?
What happens when the log file fills up?
Windows Agent - show me the files installed
Linux Agent - show me the files installed
BSD Agent - show me the files installed
Unix Agent - show me the files installed
Mac Agent - show me the files installed
You'll see Manifest/Vulnsigs listed under Asset Details > Agent Summary. This is where we'll show you the Vulnerability Signatures version currently in effect for your agent. Each Vulnsigs version (i.e. signature set) is associated with a unique manifest on the cloud agent platform.
In most cases there’s no reason for concern! You can expect a lag time before you see the Scan Complete agent status for the first time - this means an assessment for the host was performed by the cloud platform. After the first assessment the agent continuously sends uploads as soon as it finds changes to host metadata and assessments happen right away. Learn more
If you suspend scanning (enable the "suspend data collection" option) in a configuration profile applied on an agent activated for FIM, and then assign a FIM monitoring profile to that agent, the FIM manifest does not get downloaded on the agent. The FIM manifest gets downloaded once you enable scanning on the agent.
Suspend scanning on all agents
The FIM process on the cloud agent host uses netlink to communicate with the audit system in order to get event notifications. For the FIM process to continuously function, it requires permanent access to netlink.
If any other process on the host (for example auditd) gets hold of netlink, the FIM process tries to establish access to netlink every ten minutes. The FIM process gets access to netlink only after the other process releases access to it.
Until the time the FIM process does not have access to netlink you may face some issues. For instance, if you have an agent running FIM successfully, and you restart the agent or the agent gets self-patched, upon restart the cloud platform may not receive FIM events for a while. This happens because the FIM rules do not get restored upon restart as the FIM process does not have access to netlink.
When you uninstall an agent the agent is removed from the Cloud Agent user interface and it no longer syncs asset data to the cloud platform. Later you can reinstall the agent if you want, using the same activation key or another key.
When you uninstall a cloud agent from the host itself using the uninstall utilities, the agent, its license usage, and scan results are still present in the Qualys subscription. In order to remove the agent’s host record, license, and scan results, use the Cloud Agent app user interface or Cloud Agent API to uninstall the agent.
Uninstalling the Agent from the host itself
How to Uninstall Windows Agent from the command line
Upgrading from El Capitan (10.11) to Sierra (10.12) will delete needed directories used by the agent, causing the agent to not start. Use the following commands to fix the directory
When editing an activation key you have the option to select "Apply changes to all the existing agents". If selected changes will be applied to all your agents and might take some time to reflect in your account. Learn more