Creating groups of agent handlers

A group of agent handlers consists of one or several agent handlers. When an agent must connect to an agent handler, the agent gives priority to the last handler that accepted its request. If the connection fails, the agent will randomly choose another handler from the group until its request is accepted.

After an agent handler is installed, it will automatically appear in the Backoffice > Agent handlers menu in the administration console. By default, it belongs to a group named New Group (agent handler_name). By default, you can edit this group, create new groups or move an agent handler to another group.

Agent logs can be sent to different syslog servers configured for each agent handler group. For example, configure several syslog servers to receive logs of varying levels of severity or with different content formats.

The Stormshield Log Supervisor (SLS) log management solution can be used with SES Evolution. For more information, see section Configuring communication with a Stormshield Log Supervisor (SLS) server and the SLS documentation available on the Stormshield Technical Documentation website.

  1. Choose the BackOffice > Agent handlers menu.
  2. In the left panel, click on the + icon. The line New group appears.
  3. In the Agent handler group settings, enter the Name of your agent handler group.
  4. If you want to send agent logs from this agent handler group to syslog servers, click on Add a server and define the following parameters:
    • Address: enter the IP address or DNS name of the syslog server.
    • Protocol: select the protocol that communicates with the syslog server. If you wish to encrypt the data exchanged, select TCP/TLS. In this case, the root certification authority and intermediate authorities of the syslog server must be imported in the certificate store of each agent handler computer.
    • Port: enter the port number used for syslog; TCP 1468 by default. The TCP or UDP port numbers indicated here are allowed on the firewall of the workstation that hosts the agent handler, as well as on all network devices located between the agent handler and syslog server.
    • Transfer type: choose the parameter defined during the installation of the syslog server.
    • Structured data: Use this field to specify additional data to insert in the header of Syslog messages. To know the expected data format, refer to RFC 5424. You can add more than one data in the field. For example: [ABC param1="value1"][KEY@12345 param2="value2"].
    • Message format: choose the message format:
      • simple text mode (like the messages displayed in the Agent logs menu),
      • raw JSON format containing all the technical data,
      • CEF format,
      • IDMEF format.
    • Message language: Select the language if necessary.
    • You can indicate a maximum message size in bytes.
    • Choose the lowest log severity to send to this server.
    If you have configured at least one Syslog server, a Syslog server operation indicator will appear in the top banner of the console, after the environment has been deployed. It indicates the presence of any warnings or alerts, if any. Click on the indicator to display details for each server.
  5. If you wish to move an agent handler from another group to your new group, select the handler and drag and drop it to the new group.
  6. Click on Save in the upper banner.

NOTE
We advise against the use of UDP for communications with the Syslog server. Use TLS instead.

If you are using SLS, the Stormshield log management solution, configure the settings as follows in the Syslog servers section of the agent handler group settings panel.

Sending logs over TCP

  1. Indicate the IP address of the SLS server.

  2. Select TCP as the protocol.

  3. Indicate port 601.

  4. Select Raw JSON as the Message format.

  5. Select Non-Transparent-Framing as the Transfer type.

Sending logs over TCP/TLS

The SLS server must have an X.509 certificate in PEM format.

  1. Enter the .crt certificate and .key private key in the SLS administration console.

  2. Import the SLS server's root certificate into the certificate store of each machine hosting an agent handler.

  3. In the Syslog server section of the SES Evolution administration console, configure the settings as follows:

    • Indicate the host name or IP address of the SLS server. It must match the address entered in the certificate. If you have used the server host name in the certificate, you can specify the corresponding IP address in the HOST file of the machines hosting the agent handlers.

    • Select TCP/TLS,

    • Indicate port 6514,

    • Select Raw JSON as the Message format,

    • Select Non-Transparent-Framing as the Transfer type.

In both cases, if you encounter issues receiving logs in SLS, refer to System logs in the SES Evolution administration console. Filter by the relevant agent handler. For more information, see the section Monitoring the activity of SES Evolution backoffice components.

NOTE
The TCP port number indicated here must be allowed on the firewall of the workstations that host the agent handler, as well as on all network devices located between the agent handlers and SLS server.

A syslog server is not receiving logs that agents send:

  • Situation: One of the syslog servers configured in an agent handler group is not receiving any logs from agents.
  • Cause: There may be an error in the TCP/TLS configuration of the syslog server.
  • Solution: Start by checking that the syslog server is indeed running in TCP.
    If this is the case, check the logs that the agent handler generated. If there is an issue with the TCP/TLS configuration, the agent handler will generate a log identifying the malfunctioning syslog server, and describing the possible causes.
    If you do not see this log, try restarting the agent handler to force logging. Wait at least one minute after restarting.
    Based on the indications in the log, review the TCP/TLS configuration of the syslog server.
    You can also check the minimum log severity that you have set, so that they can be sent to the syslog server .