Once installed and running, the agent starts collecting and batching data. The data collected is periodically transmitted over an encrypted channel to Lacework servers for analysis. It may take up to 2 hours to construct a base graph and for the Lacework Console to populate. Lacework sends a notification to the email address used during registration to inform the user when results are first available in the Lacework Console.
If you have not received an email notification and machine data is not shown two hours after agent installation, the agent may not be able to communicate with Lacework servers.
In this case, verify the following:
- Is the agent using a deactivated token, and invalid token, or none at all?
- Does the agent need to be configured to use a proxy, or has the proxy been misconfigured? Go to Required Connectivity, Proxies & Certificates for instructions on how to add a proxy.
- Is the GoDaddy certificate in the root store? If not, the GoDaddy certificate needs to be added to the trusted root store. Please consult appropriate resources on installing third-party CA certificates. See Required Connectivity, Proxies & Certificates.
- When running the Lacework agent in a Docker container, the hostname of machine in the Lacework Console is not the same as the hostname of the docker host. This is a limitation in Docker runtime which prevents running containers from getting notifications when the Docker host updates the hostname. The following procedure corrects this Docker issue:
Docker Limitation Workaround
To correct the Docker issue that prevents running containers from getting notifications when the Docker host updates the hostname:
- Query the current docker host hostname:
- Update the hostname in the Docker host:
sudo hostname new-coreos-1122.3.0
- Find the process id of the Lacework datacollector container:
sudo docker ps-a
0123ae6c9bd9 lacework/datacollector:latest “/var/lib/backup/data” 2 hours ago Up
2 hours datacollector
- Find the PID of the Lacework datacollector container:
sudo docker inspect 0123ae6c9bd9 | grep Pid
- Edit the UTS namespace of the Lacework datacollector container, updating it with the new hostname where nsenter is part of the util-linux package.
sudo nsenter --target 2897 --uts hostname new-coreos-1122.3.0
- Log in to the Lacework agent container and verify that the new hostname is visible:You do not need to restart the Lacework agent container to display the new hostname.
sudo docker exec -it 0123ae6c9bd9 /bin/bash
groups: cannot find name for group ID 0