Agent Knowledge Base Items

Checking Agent Logs

Windows

  • The Agent logs located at C:\Program Files (x86)\LiongardInc\LiongardAgent\logs
  • The Agent event logs ('LiongardAgentLogs'), which you can find under 'Application and Service Logs' in the Windows Event Viewer.
  • The Agent .SVC logs located at 'C:\Program Files (x86)\LiongardInc\LiongardAgent\AgentSVCLog.txt'

If the Agent install doesn't complete successfully, the log locations listed above may not be present. In that case, there should be events logged for the install itself in the Windows Event Viewer under System with a source of MSIInstaller.

Linux

For Linux, you can get the exact log locations by calling the command pm2 show roar-agent

  • /home/ubuntu/.pm2/logs/roar-agent-error-0.log
  • /home/ubuntu/.pm2/logs/roar-agent-out-0.log
  • /opt/liongard/logs/*.log

Can I use one On-Premises Agent for multiple Environments?

At this time, we don't allow one On-Premises Agent to be used across multiple Environments because Agents cannot be assigned an Inspector without first being assigned an Environment.

If I have a client who connects multiple sites via a VPN, do I have to install an Agent on each site?

Our Agents can talk across the VPN, so it is not necessary to install an Agent at each site. With that being said, there may be some extra configuration steps required for WinRM inspections.

For more information on WinRM, please visit this document.

Do I need to deploy an Agent on all of my servers?

No, you do not need to deploy an Agent on all of your servers. You should deploy one Agent for each Environment’s network.

Our Agents can speak through VPN tunnels and to anything that can speak to the server the Agent is deployed on.

For more information, please visit our Agents documentation.

Does Liongard Inspect Workstations? Can I roll out On-premises Agents on Workstations?

At this time, Liongard does not inspect workstations.

At this time, rolling out On-premises Agents on workstations is not supported.

If I have a client with multiple locations and a Domain Controller at each location, should a Windows Agent be installed on each Domain Controller? All of the locations are under the same Domain.

If you have multiple domain controllers hosting replicas of the same domain, you only need to inspect one of these. Therefore, you will only need to install one Windows Agent.

If you have multiple Active Directory domains, you will want an Agent on a domain controller from each of the domains.

Where can I find the IP Address of an Agent?

You can locate the IP Address of an Agent by navigating to Admin > Agents. Then, you can find the Agent you are interested in and view the IP Address in the IP Address column.

Can I deploy an Agent on a Workgroup?

An On-premises Agent can be deployed on a server that is not a part of a domain; however, the Agent will not be able to auto-discover any Inspectors. The Agent deployment requirements are the same (primarily Server 2012 or higher). After deploying the Agent to a server that is not a part of the domain, you will need to manually roll out any System Inspectors for that network.

Additionally, please review this documentation:

Do Liongard Agents affect CPU/Performance?

The MSI installer will take a fairly minimal amount of resources to run, but after the Agent is installed, it should consume almost no resources at all.

On our current version (Version 3.0.2), the Agent consumes approximately 67.3 MB.

Why is the IP address of the server my Agent is installed on not showing?

The Agent makes a call to several websites that pull the public IP address. If the IP address is not showing, then these sites may be blocked by a web filter, security monitoring, etc.

To remediate, whitelist the following addresses:

https://api.ipify.org/
https://api6.ipify.org/
https://icanhazip.com/

Serverless Environment

If a client network you are supporting is serverless and, therefore, doesn't have a location to install an On-Premises Liongard Agent, there are a few options to still use Liongard Inspectors.

  1. Firewall Only Inspection

If you only need to inspect the firewall, you can deploy a Self-Hosted Agent using this documentation. You can then whitelist the Self-Hosted Agent's IP address through to allow the Self-Hosted Agent to inspect the firewall directly from your datacenter.

  1. Inspecting Other On-Premises Infrastructure

The On-Premises Liongard Agent can also be installed on-premises on a Windows 10 or greater workstation and used to facilitate inspections inside the network. We do not generally recommend this due to the greater potential for an individual workstation to go offline without warning and thus is an unsupported deployment option.

Should I be concerned regarding the use of the LSASS.exe process by the Liongard Agent?

When the Liongard Agent runs commands on a Windows system, it will call on the service account specified during the agent installation to authenticate via the Local Security Authority.

Local Security Authority Subsystem Service (LSASS) is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on your computer. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security log.

LSASS verifies the validity of user logons to your PC or server. LSASS generates the process responsible for authentication users for the Winlogon service. If authentication is successful, LSASS generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.

Credentials are cached using LSASS and due to this functionality, cached passwords on the Windows system can potentially be stolen by attackers via credential dumps.

This attack method is commonly known. Software such as gsecdump, creddump, PWDumpX, and Mimikatz can be used to extract dumpfiles from a Windows system, which then allows an attacker to view the credentials stored in LSASS. Typically the information stored in these dumps are stored as hashed values, which would require the attacker to decrypt the message in order to obtain the plaintext credentials.

Due to this vulnerability being well known, there are several different ways to ensure that your system is protected. A few methods include (and are not limited to), confirming that WDigest is disabled for servers older than Windows Server 2012 R2, making sure that anti-virus is installed on the system, and enforcing proper password policies and user training to prevent unauthorized system access.

How can I see how many Liongard Agents are associated with each Environment?

Navigating to Admin > Environments and adding the Associated Agents column will show you the number of Agents associated with each Environment. If you click on the number, you will be directed to the Admin > Agents screen where you are able to view the associated Agents.


Did this page help you?