Cloud Secure Agent Installation

Contributors netapp-alavoie dgracenetapp Download PDF of this page

Cloud Secure collects user activity data using one or more agents. Agents connect to devices in your environment and collect data that is sent to the Cloud Secure SaaS layer for analysis. See Agent Requirements to configure an agent VM.

Before You Begin

  • The sudo privilege is required for installation, running scripts, and uninstall.

Steps to Install Agent

  1. Log in as Administrator or Account Owner to your Cloud Secure environment.

  2. Click Admin > Data Collectors > Agents > +Agent

    The system displays the Add an Agent page:

    Add agent 1
  3. Select the operating system on which you are installing the agent.

  4. Verify that the agent server meets the minimum system requirements.

  5. To verify that the agent server is running a supported version of Linux, click Versions Supported (i).

  6. If your network is using proxy server, please set the proxy server details by following the instructions in the Proxy section.

    Agent Install with Proxy Note

  7. Click the Copy to Clipboard icon to copy the installation command.

  8. Run the installation command in a terminal window.

  9. The system displays the following message when the installation completes successfully:

    new agent detect
After You Finish
  1. You need to configure a User Directory Collector .

  2. You need to configure one or more Data Collectors.

Network Configuration

Run the following commands on the local system to open ports that will be used by Cloud Secure.

Steps
  1. sudo firewall-cmd --permanent --zone=public --add-port=35000-55000/tcp

  2. sudo firewall-cmd --reload

  3. sudo iptables-save | grep 35000

    sample output:
    -A IN_public_allow -p tcp -m tcp --dport 35000 -m conntrack -ctstate NEW -j ACCEPT

Troubleshooting Agent Errors

Known problems and their resolutions are described in the following table.

Problem: Resolution:

Agent installation fails to create the /opt/netapp/cloudsecure/agent/logs/agent.log folder and the install.log file provides no relevant information.

This error occurs during bootstrapping of the agent. The error is not logged in log files because it occurs before logger is initialized.
The error is redirected to standard output, and is visible in the service log using the journalctl -u cloudsecure-agent.service command. This command can be used for troubleshooting the issue further.

Agent installation fails with ‘This linux distribution is not supported. Exiting the installation’.

The supported platforms for Cloud Secure 1.0.0 are RHEL 7.x / CentOS 7.x. Ensure that you are not installing the agent on a RHEL 6.x or CentOS 6.x system.

Agent Installation failed with the error:
"-bash: unzip: command not found"

Install unzip and then run the installation command again. If Yum is installed on the machine, try “yum install unzip” to install unzip software.
After that, re-copy the command from the Agent installation UI and paste it in the CLI to execute the installation again.

Agent was installed and was running. However agent has stopped suddenly.

SSH to the Agent machine. Check the status of the agent service via sudo systemctl status cloudsecure-agent.service.
1. Check if the logs shows a message“Failed to start Cloud Secure daemon service” .
2. Check if cssys user exists in the Agent machine or not. Execute the following commands one by one with root permission and check if the cssys user and group exists.
sudo id cssys
sudo groups cssys
3. If none exists, then a centralized monitoring policy may have deleted the cssys user.
4. Create cssys user and group manually by executing the following commands.
sudo useradd cssys
sudo groupadd cssys
5. Restart the agent service after that by executing the following command:
sudo systemctl restart cloudsecure-agent.service
6. If it is still not running, please check the other troubleshooting options.

Unable to add more than 10 Data collectors to an Agent.

Only 10 Data collectors can be added to an Agent. This can be a combination of all the collector types, for example, Active Directory, SVM and other collectors.

UI shows Agent is in NOT_CONNECTED state.

Steps to restart the Agent.
1. SSH to the Agent machine.
2. Restart the agent service after that by executing the following command:
sudo systemctl restart cloudsecure-agent.service
3. Check the status of the agent service via sudo systemctl status cloudsecure-agent.service.
4. Agent should go to CONNECTED state.

Agent VM is behind Zscaler proxy and the agent installation is failing. Because of Zscaler proxy’s SSL inspection, the Cloud Secure certificates are presented as it is signed by Zscaler CA so the agent is not trusting the communication.

To resolve the issue, do the following:
1. Get the CA certificate which is used in Zscaler, by browser or a tool like openssl. Also download all the intermediate CA certificates if applicable.
2. Import the CA certificates into the Cloud Secure agent’s trust store using below command.
/opt/netapp/cloudsecure/agent/java64/bin/keytool -importcert -file <ca_cert_path> -keystore /opt/netapp/cloudsecure/agent-certs/cert/client.keystore -alias <alias_name>
3. Restart the agent by executing the following command.

systemctl restart cloudsecure-agent.service

4. The agent should work now.
5. If the agent is still failing with SSL error then import the immediate certificate presented by the tenant url using browser or tool like openssl.
6. Restart the agent again.