what commands does the linux agent run?

Question

What commands does the linux agent run to collect performance and system statistic data?

Do the commands have to be given sudo rights or does the user the agent creates do that for you?

kpmarcin · Accepted Answer

Hello Ryan,

I used my labs and one test CentOS machine to verify this question.

Agent is creating new account, which is using for executing console commands.

You will also see a new process for the agent.

I installed the Agent on CentOS Linux:

-------------

Nov 18 19:21:49 centos7 systemd: Starting SolarWinds Agent Service...

Nov 18 19:21:49 centos7 journal: SolarWinds Agent[28777]: SolarWinds Agent [1.8.0.551] Upgrade - deleting file [/opt/SolarWinds/Agent/bin/swiagent.upgrade]

Nov 18 19:21:49 centos7 systemd: Started SolarWinds Agent Service.

Nov 18 19:21:49 centos7 journal: SolarWinds Agent[28777]: SolarWinds Agent [1.8.0.551] Upgrade - deleting file [/opt/SolarWinds/Agent/bin/swiagent.upgrade]

Nov 18 19:21:51 centos7 journal: SolarWinds Agent[28777]: SolarWinds Agent (provisioning) [1.8.0.551] was started, built with OpenSSL version [OpenSSL 1.0.2k-fips  26 Jan 2017]

Here you can see new account created by the Agent:

-------------

[root@centos7 log]# cat secure | grep swiagent

Nov 18 19:21:47 centos7 groupadd[28641]: group added to /etc/group: name=swiagent, GID=992

Nov 18 19:21:47 centos7 groupadd[28641]: group added to /etc/gshadow: name=swiagent

Nov 18 19:21:47 centos7 groupadd[28641]: new group: name=swiagent, GID=992

Nov 18 19:21:47 centos7 useradd[28646]: new user: name=swiagent, UID=995, GID=992, home=/opt/SolarWinds/Agent, shell=/sbin/nologin

[root@centos7 log]# pwd

/var/log

[root@centos7 log]#

[root@centos7 home]# cat /etc/passwd | grep SolarWinds

swiagent:x:995:992::/opt/SolarWinds/Agent:/sbin/nologin

[root@centos7 home]#

Here is the Agent process, ran by the swiagent account:

-------------

[root@centos7 bin]# ps xua | grep swiagent

swiagent 28777 0.3  1.9 1735676 19588 ?       Ssl 19:21   0:03 /opt/SolarWinds/Agent/bin/swiagent /detach pidfile=/opt/SolarWinds/Agent/bin/swiagentd.pid

swiagent 28850 0.3  1.3 1018416 14024 ?       Sl 19:22   0:02 /opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin ep=EWA4dd90f6d01924b579d7421f27782eb49 id=63c91981-0837-42d3-955a-dcc687f4bd8c.EWWP ipc=ipc_mq_v1

root     29695  0.0 0.1 119924  1172 pts/2    S+ 19:37   0:00 grep --color=auto swiagent

[root@centos7 bin]#

And here you can see established connections from SolarWinds server (192.168.1.39) to CentOS (192.168.1.45):

-------------

[root@centos7 log]# netstat --inet -n | grep 192.168.1.39

tcp        0      0 192.168.1.45:42636      192.168.1.39:17778      ESTABLISHED

tcp        0      0 192.168.1.45:42677      192.168.1.39:17778      ESTABLISHED

tcp        0      0 192.168.1.45:42676      192.168.1.39:17778      ESTABLISHED

You can verify those ports in the below documentation:

https://support.solarwinds.com/Success_Center/Orion_Platform/Orion_Documentation/Orion_Platform_Administrator_Guide/Poll_devices_with_SolarWinds_Orion_agents/SolarWinds_Orion_agent_requirements

Small hint - you will not find typical bash history for commands, because those are ran via the agent process and not SSH.

However, you can check the Agent logs. Here is an example of "Linux Disk Monitoring Perl" SAM template.

-------------

[root@centos7 Logs]# pwd

/opt/SolarWinds/Agent/bin/appdata/Logs

[root@centos7 Logs]#

[root@centos7 Logs]# cat APM_job_application.log

----snip----

17/11/18 19:52:28.573 PID: 30317 TID: 140015132571456 [INFO] job_application - Starting poll of component 561 (Available space on / partition (MB))

17/11/18 19:52:28.580 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - Initial identity: uid=0, gid=992, euid=995, egid=992

17/11/18 19:52:28.580 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - User identity before: uid=0, gid=992, euid=995, egid=992

17/11/18 19:52:28.580 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - Creating temp script file: /tmp/APM_3QI_oS

17/11/18 19:52:28.581 PID: 30317 TID: 140015132571456 [INFO] scriptrunner - Execution of command (subprocess method): perl /tmp/APM_3QI_oS

17/11/18 19:52:28.604 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - Script output:

Message: Available space on / partition in MB : 36851

Statistic: 36851

17/11/18 19:52:28.604 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - Script exit code: 0

17/11/18 19:52:28.605 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - File /tmp/APM_3QI_oS deleted

17/11/18 19:52:28.605 PID: 30317 TID: 140015132571456 [DEBUG] scriptrunner - User identity after: uid=0, gid=992, euid=995, egid=992

17/11/18 19:52:28.608 PID: 30317 TID: 140015132571456 [DEBUG] job_application - job_application.py exiting

From above you can see what the agent is doing.

It is creating a temporary perl script, executing it with the output for available space and next it is deleting the temp script.

This action is done every time the polling is performed - 300 seconds by default.

I hope this will help you.

Kind regards,

Marcin Kazmierczak.

---

IT-Indago Ltd. - Authorized Reseller & SolarWinds Certified SCP Professional

IT-Indago – Be In Control!  |  Follow us on Facebook & LinkedIn