Cloud Secure Agent Installation

Contributors netapp-alavoie

Cloud Secure collects user activity data using one or more agents. Agents connect to devices in your environment and collect data that is sent to the Cloud Secure SaaS layer for analysis. See Agent Requirements to configure an agent VM.

Before You Begin

  • The sudo privilege is required for installation, running scripts, and uninstall.

Steps to Install Agent

  1. Log in as Administrator or Account Owner to your Cloud Secure environment.

  2. Click Admin > Data Collectors > Agents > +Agent

    The system displays the Add an Agent page:

    Add agent 1
  3. Select the operating system on which you are installing the agent.

  4. Verify that the agent server meets the minimum system requirements.

  5. To verify that the agent server is running a supported version of Linux, click Versions Supported (i).

  6. If your network is using proxy server, please set the proxy server details by following the instructions in the Proxy section.

    Agent Install with Proxy Note

  7. Click the Copy to Clipboard icon to copy the installation command.

  8. Run the installation command in a terminal window.

  9. The system displays the following message when the installation completes successfully:

    new agent detect
After You Finish
  1. You need to configure a User Directory Collector .

  2. You need to configure one or more Data Collectors.

Network Configuration

Run the following commands on the local system to open ports that will be used by Cloud Secure. If there is a security concern regarding the port range, you can use a lesser port range, for example 35000:35100. Each SVM uses two ports.

  1. sudo firewall-cmd --permanent --zone=public --add-port=35000-55000/tcp

  2. sudo firewall-cmd --reload

Follow the next steps according to your platform:

CentOS 7.x / RHEL 7.x:

  1. sudo iptables-save | grep 35000

Sample output:

-A IN_public_allow -p tcp -m tcp --dport 35000:55000 -m conntrack -ctstate NEW,UNTRACKED -j ACCEPT

CentOS 8.x / RHEL 8.x:

  1. sudo firewall-cmd --zone=public --list-ports | grep 35000 (for CentOS 8)

Sample output:


Troubleshooting Agent Errors

Known problems and their resolutions are described in the following table.

Problem: Resolution:

Agent installation fails to create the /opt/netapp/cloudsecure/agent/logs/agent.log folder and the install.log file provides no relevant information.

This error occurs during bootstrapping of the agent. The error is not logged in log files because it occurs before logger is initialized.
The error is redirected to standard output, and is visible in the service log using the journalctl -u cloudsecure-agent.service command. This command can be used for troubleshooting the issue further.

Agent installation fails with ‘This linux distribution is not supported. Exiting the installation’.

The supported platforms for Cloud Secure 1.0.0 are RHEL 7.x / CentOS 7.x. Ensure that you are not installing the agent on a RHEL 6.x or CentOS 6.x system.

Agent Installation failed with the error:
"-bash: unzip: command not found"

Install unzip and then run the installation command again. If Yum is installed on the machine, try “yum install unzip” to install unzip software.
After that, re-copy the command from the Agent installation UI and paste it in the CLI to execute the installation again.

Agent was installed and was running. However agent has stopped suddenly.

SSH to the Agent machine. Check the status of the agent service via sudo systemctl status cloudsecure-agent.service.
1. Check if the logs shows a message“Failed to start Cloud Secure daemon service” .
2. Check if cssys user exists in the Agent machine or not. Execute the following commands one by one with root permission and check if the cssys user and group exists.
sudo id cssys
sudo groups cssys
3. If none exists, then a centralized monitoring policy may have deleted the cssys user.
4. Create cssys user and group manually by executing the following commands.
sudo useradd cssys
sudo groupadd cssys
5. Restart the agent service after that by executing the following command:
sudo systemctl restart cloudsecure-agent.service
6. If it is still not running, please check the other troubleshooting options.

Unable to add more than 20 Data collectors to an Agent.

Only 20 Data collectors can be added to an Agent. This can be a combination of all the collector types, for example, Active Directory, SVM and other collectors.

UI shows Agent is in NOT_CONNECTED state.

Steps to restart the Agent.
1. SSH to the Agent machine.
2. Restart the agent service after that by executing the following command:
sudo systemctl restart cloudsecure-agent.service
3. Check the status of the agent service via sudo systemctl status cloudsecure-agent.service.
4. Agent should go to CONNECTED state.

Agent VM is behind Zscaler proxy and the agent installation is failing. Because of Zscaler proxy’s SSL inspection, the Cloud Secure certificates are presented as it is signed by Zscaler CA so the agent is not trusting the communication.

Disable SSL inspection in the Zscaler proxy for the * url. If Zscaler does SSL inspection and replaces the certificates, Cloud Secure will not work.

While installing the agent, the installation hangs after unzipping.

“chmod 755 -Rf” command is failing.
The command fails when the agent installation command is being run by a non-root sudo user that has files in the working directory, belonging to another user, and permissions of those files cannot be changed. Because of the failing chmod command, the rest of the installation does not execute.

1. Create a new directory named “cloudsecure”.
2. Go to that directory.
3. Copy and paste the full “token=…… … ./" installation command and press enter.
4. Installation should be able to proceed.

If the Agent is still not able to connect to Saas, please open a case with NetApp Support. Provide the Cloud Insights serial number to open a case, and attach logs to the case as noted.

To attach logs to the case:
1. Execute the following script with root permission and share the output file (
a. /opt/netapp/cloudsecure/agent/bin/
2. Execute the following commands one by one with root permission and share the output.
a. id cssys
b. groups cssys
c. cat /etc/os-release