Creating groups of agent handlers

A group of agent handlers consists of one or several agent handlers. When an agent must connect to an agent handler, the agent gives priority to the last handler that accepted its request. If the connection fails, the agent will randomly choose another handler from the group until its request is accepted.

After an agent handler is installed, it will automatically appear in the Agent handlers menu in the administration console. By default, it belongs to a group named New Group (agent handler_name). By default, you can edit this group, create new groups or move an agent handler to another group.

Agent logs can be sent to different syslog servers configured for each agent handler group. For example, configure several syslog servers to receive logs of varying levels of severity or with different content formats.

The Stormshield Log Supervisor (SLS) log management solution can be used with SES Evolution. For more information, refer to SLS documentation available at StormshieldTechnical Documentation.

  1. Choose the Agent handlers menu.
  2. In the left panel, click on the + icon. The line New group appears.
  3. In the Agent handler group settings, enter the Name of your agent handler group.
  4. If you want to send agent logs from this agent handler group to syslog servers, click on Add a server and define the following parameters:
    • Address: enter the IP address or DNS name of the syslog server.
    • Protocol: select the protocol that communicates with the syslog server. If you wish to encrypt the data exchanged, select TCP/TLS. In this case, the root certification authority and intermediate authorities of the syslog server must be imported in the certificate store of each agent handler computer.
    • Port: enter the port number used for syslog; TCP 1468 by default. The TCP or UDP port numbers indicated here are allowed on the firewall of the workstation that hosts the agent handler, as well as on all network devices located between the agent handler and syslog server.
    • Transfer type: choose the parameter defined during the installation of the syslog server.
    • Message format: choose the message format:
      • simple text mode (like the messages displayed in the Agent logs menu),
      • raw JSON format containing all the technical data,
      • CEF format,
      • IDMEF format.
    • Message language: Select the language if necessary.
    • You can indicate a maximum message size in bytes.
    • Choose the lowest log severity to send to this server.
  5. If you wish to move an agent handler from another group to your new group, select the handler and drag and drop it to the new group.
  6. Click on Save in the upper banner.

Troubleshooting

  • Situation: One of the syslog servers configured in an agent handler group is not receiving any logs from agents.
  • Cause: There may be an error in the TCP/TLS configuration of the syslog server.
  • Solution: Start by checking that the syslog server is indeed running in TCP.
    If this is the case, check the logs that the agent handler generated. If there is an issue with the TCP/TLS configuration, the agent handler will generate a log identifying the malfunctioning syslog server, and describing the possible causes.
    If you do not see this log, try restarting the agent handler to force logging. Wait at least one minute after restarting.
    Based on the indications in the log, review the TCP/TLS configuration of the syslog server.
    You can also check the minimum log severity that you have set, so that they can be sent to the syslog server .