Skip to main content

Agent Management

To analyze application, host, and user behavior, Lacework uses a lightweight agent, which securely forwards collected metadata to the Lacework platform for analysis. The agent requires minimal system resources and runs on most Linux distributions.

Install an Agent

Use the command lacework agent install <[user@]host[:port]> for single-host installation of the Lacework agent via Secure Shell (SSH). When this command is executed without any additional flag, an interactive prompt will be launched to help gather the necessary authentication information to access the remote host.

note

For a complete list of supported installation methods, see Agent Install Options

To authenticate to the remote host with a username and password.

lacework agent install <host> --ssh_username <your-user> --ssh_password <secret>

To authenticate to the remote host with an identity file instead.

lacework agent install <user@host> -i /path/to/your/key

lacework-cli-agent-install-release

To provide an agent access token of your choice, use the command lacework agent token list, select a token and pass it to the --token flag.

To authenticate to the remote host on a non-standard SSH port use the '--ssh_port' flag or pass it directly via the argument.

lacework agent install <user@host:port>

To bypass the question to add unknown host keys to the ~/.ssh/known_hosts file, use the flag --trust_host_key.

List Agents

List all hosts that have a running agent in your environment using the command.

lacework agent list

You can use key:value pairs to filter the list of hosts with the --filter flag.

lacework agent list --filter 'os:Amazon Linux' --filter 'tags.VpcId:vpc-72225916'
note

The value can be a regular expression such as hostname:db-server.*

Agent Access Tokens

To list all agent access tokens:

lacework agent token list
important

Agent tokens should be treated as secret and not published. A token uniquely identifies a Lacework customer. If you suspect your token has been publicly exposed or compromised, generate a new token, update the new token on all machines using the old token. When complete, the old token can safely be disabled without interrupting Lacework services.

To create a new agent access token:

lacework agent token create <name> [description]
note

The [description] is an optional argument.

You can use the agent token name to logically separate your deployments, for example, by environment types (QA, Dev, etc.) or system types (CentOS, RHEL, etc.).

To show details about an agent access token:

lacework agent token show <token>
important

By design, agent tokens cannot be deleted.

To disable an agent access token:

lacework agent token update <token> --disable

To enable an agent access token:

lacework agent token update <token> --enable

You can also update the name and/or description of any agent access token with the command:

lacework agent token update <token> --name dev --description "k8s deployment for dev env"