Linux Troubleshooting Guide
Important File and Log Locations
| File | Location | Purpose |
|---|---|---|
Axon Agent Log | /var/log/logrhythm/lragent.log | Log file for Axon Agent, containing logs related to Agent installation and running status. |
| Axon Agent Config File | /etc/logrhythm/lragent_config.json | Running configuration file for Axon Agent |
| Axon Agent Binary | /bin/logrhythm/lr-agent | Binary for Axon Agent |
FluentD Log | /var/log/td-agent/td-agent.log | Log file for FluentD, check here for error/info logs. Shows current running config, plugin versions and startup command. |
FluentD Config | /etc/td-agent/td-agent.conf | Config file for FluentD. Contains all settings for collectors, output, filtering and buffering. This file is automatically overwritten by Axon based on selections made in the UI. Manual changes will not be preserved if the Axon Agent service is running. |
| FluentD Binary | /opt/td-agent/bin/fluentd | Binary for FluentD (td-agent) |
Axon Agent General Troubleshooting Tips for Linux
Determining the Axon Agent's Running Status
To check if the service is running and has associated osquery and ruby processes, run the following command:
sudo systemctl status lr-agent.logrhythmThe following is an example of an output for a running Axon Agent:
Use the 'cat' command on the following log files and check for errors:
- /etc/td-agent/td-agent.log
- /etc/td-agent/td-agent.conf
Specific Errors and Resolutions
"Certificate has expired or is not yet valid" Error
Problem
The following error is showing up in your lragent.log file during installation of the LogRhythm Axon Agent:
"Fetching new config failed, falling back to old config...","msg":"transport error retrieving config: rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid:Resolution
This error occurs when the system time on your Linux installation is incorrect. Update the current system date/time and this error will resolve.