Pulsar Agent
Last updated
Last updated
The agent transfers the data via an encrypted connection to the Enginsight Cloud or On-Premises installation. The connection is exclusively one-way, starting from the agent. Direct communication from the platform to the agent is excluded.
The client must run with root privileges.
Here you get an overview of the currently supported operating systems.
In this section you will learn how to install our Client Pulsar on your system.
To add a new host, go to the "Hosts" tab in the top menu. Either install a "Server Host" or a "Client Host".
Note that different licenses are required for servers and clients.
After that, please select your operating system.
Please enter the curl command you now see in your terminal. You need root access to install the client.
You will now be asked to accept our End User License Agreement (EULA). You can find this document here. By downloading our client you agree to the terms and conditions of the EULA.
Finally, you should receive a message that the Pulsar Agent has been successfully installed.
Run the installation script as root. To do this, press: Windows key + R and type "cmd". Copy and paste the given command in the cmd and press Enter.
You will now be asked to accept our End User License Agreement (EULA). You can find this document here. By downloading our agent, you agree to the terms and conditions from the EULA.
Finally, you should receive a message that Pulsar Agent has been successfully installed.
You can see that Enginsight is now communicating correctly with your device by the following screen within the platform:
Here you can now determine a technical and functional responsible person and and assign tags for the host.
You can roll out the Pulsar agent to multiple machines in a domain using a startup script. To set up the installation by group policy, create a script that checks whether the agent is installed at each system startup, and if not, runs the installation.
1. Copy the automatic installation script for Windows with your individual identifier and AccessKey to the clipboard. Do not include the top line powershell
: To do this, go to Hosts → Create Server Host or Create Client Host in the Enginsight platform, select the operating system "Windows Server 2008+, Windows 7+" and the "Automatic Installation" tab.
2. Paste the copied script into this template at the marked position:
Create a separate script for server and client licenses.
Your finished script with your individual identifier and AccessKey (for on-premises with customized API) looks like this:
3. Save the finished script as a PowerShell script file with the .ps1
ending.
4. Open the group policy editor: gpedit.msc
5. For the corresponding domain, navigate to Computer Configuration → Windows Settings → Scripts (Startup/Shutdown) → Startup.
6. In the "Scripts" tab, click "Add".
7. Enter powershell.exe
as script name.
8. For script parameters, use the following template:
Replace the <networkpath>
and the {guid}
with your custom parameters.
Make sure that the location of the script is accessible to all machines in the domain and that all machines have permission to run the script.
1. Start your master image system.
2. Install a Pulsar agent via Enginsight platform: Hosts → Create Client Host → select operating system "Windows Server 2008+, Windows 7+" → run script (Windows key + R + "cmd").
3. Open the configuration file of the Pulsar agent under the following path:
4. Remove the _id
value and adjust the parameters "environnement": "vdi"
and "license": "client"
.
Your configuration file will now look something like this:
5. Save the configuration file.
6. Delete the host from the platform.
7. Save the master image.
On initial startup, users automatically add themselves to the VDI as hosts. The hosts are named after the account names.
Make sure to book enough client licenses for all monitored virtual desktops.
Also note that the Pulsar saves the config in C:\Users\AppData\Roaming\Enginsight\Pulsar\config.json in VDI operating mode. As long as the directory moves with the user, you should ensure that there is an agent for each user.
If a proxy is used in the company, it must be specified. During the interactive installation, Enginsight will try to detect the proxy in use and ask you if it should be used.
Alternatively, the proxy can be specified directly in the installation script. Use the following parameters for this:
proxy
: URL of the proxy through which the connections are to be routed
noProxy
: URL(s) for which the proxy should not be used
Following are two examples for the interactive installation of the Pulsar-Agent with proxy
parameter and optional noProxy
parameter.
For automatic installation, the proxy parameter must be included in the installation script if required. Otherwise Enginsight tries to detect the proxy automatically.
Linux
If you want to change the proxy parameters of the Pulsar-Agent afterwards, you can do this via config.json. You can find it here:
Windows: C:\Program Files\Enginsight\Pulsar\config.json
Linux: opt\enginsight\pulsar
You can specify the desired tags during the installation. To do this, add the tags parameter to the installation script. You can also add and customize tags at any time through the user interface.
Tags are very important in the Enginsight platform and increase effectiveness enormously. For example, you can use tags to group alerts or make settings for multiple hosts in the Policy Manager.
The Enginsight Pulsar-Agent is constantly updated by us. In order for all (new) functions to work as desired, it is necessary that you keep the agent up to date.
In the host overview you will receive a warning if the Pulsar agent does not correspond to the current version.
To update the agent you have two options:
You can update the agent on a single host. To do this, click on the host and click "Update Agent".
If you want to update the agent on all hosts simultaneously, click "Update Agents" in the Host Overview. You will see a list of hosts that are not running the latest version. Click Update to roll out the latest version of the Agent on all hosts.
If you need to uninstall the agent from one of your hosts, you can do so from within the Enginsight platform. First go to the Host Overview by clicking on Hosts in the navigation bar. Locate the host you want to uninstall and click on the 3 dots inside the overview tile and then click Delete.
Afterwards you have to confirm the deletion again.
Note that this will irretrievably delete all data on the host.
If the normal uninstallation is not possible, you can also uninstall the agent manually directly on the host.
Open a PowerShell as administrator.
Run the uninstall script as follows to manually uninstall the Pulsar agent:
& “C:\Program Files\Enginsight\Pulsar\uninstall.ps1”
Delete the host via the usual way to remove it from the Enginsight platform.
1. Run the uninstall script as root (e.g. via sudo) to manually uninstall the Pulsar agent:
Delete the host via the usual way to remove it from the Enginsight platform.
You can basically disable the execution of plugins in the local configuration file of the Pulsar agent, so that it can no longer be activated via the UI of the Enginsight application.
Be careful with this setting. We recommend such an approach only in rare exceptional cases.
1. Open the configuration file of the Pulsar agent.
2. Add the override to the plugin configuration if the configuration is not already created. (Whether the function already exists depends on when you installed the Pulsar agent).
If the override option already exists, simply set the parameter to true
.
Be sure to add a comma after the curly brace enclosing the API configuration. Otherwise the override configuration will be ignored.
3. Restart the Pulsar agent.
Open the configuration file of the Pulsar agent.
2. Add the override to the plugin configuration, if the configuration is not already created. (Whether the function already exists depends on when you installed the Pulsar agent).
If the override option already exists, simply set the parameter to true
.
Be sure to add a comma after the curly brace enclosing the API configuration. Otherwise the override configuration will be ignored.
3. Restart the Pulsar agent.
Windows key + R → services.msc → Enginsight Pulsar → right-click → All tasks → Restart
The Pulsar configuration file (pulsar-config.json) contains parameters that apply to a number of components. These components include:
SIEM
Defense: actions, status and scans
System events
Shield actions
IDS attacks
Please note that the parameters in the API configuration, if set, overwrite the corresponding parameters in the Pulsar configuration for SIEM only.
Open the configuration file of the Pulsar agent.
nano /opt/enginsight/pulsar/config.json
Add the following section in the appropriate place:
restart the Pulsar agent.
service ngs-pulsar restart
Open the configuration file of the Pulsar agent.
C:\Programme\Enginsight\Pulsar\config.json
Add the following section in the appropriate place:
restart the Pulsar agent.
Windows key + R → services.msc → Enginsight Pulsar → Right-click → All tasks → Restart
In the example, you can see the default values we use, which are active if no manual adjustments are made in this configuration:
“coldStorageThreshold”
is the size in bytes that must be exceeded by the transaction log on the hard disk before it is archived (compressed). (Default: 1 GB)
“deletionThreshold”
is the total size of all archived logs in bytes, above which the oldest archive file is deleted. (default: 10 GB)
“deletionAge”
specifies the maximum age of the oldest archive. The value can be specified as a string as in the example. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Alternatively, it can be specified as a number (without quotation marks) in nanoseconds. (default: 7 days)