This article describes various commands and debugging scenarios. Please note depending on the distribution that Red Canary Linux EDR is installed on, you may have to adjust the command to use. Distributions that use systemd use systemctl for services management whereas other distributions may use init and the service command (please note service commands also work in distributions that use systemd, but distributions using init cannot interpret systemctl commands) or Upstart which uses initctl

Here are a few popular distributions that use systemd. 

• CentOS
• Ubuntu
• Redhat
• Fedora
• Debian

When following these steps, please verify first which command is applicable to your distribution.

Confirm the agent is running

Run:

systemctl status cfsvcd 

Expected output

“Active:” ... “active (running)” 

Check that the log entries (the lines beginning with timestamps) don’t indicate any error conditions. If there have not been any, you should still see entries from systemd indicating that the service started and an entry from cfsvcd indicating that it found the config.json file and is continuing execution.

If your distribution uses Upstart, run:

initctl status cfsvcd

If your distribution uses init, run:

service cfsvcd status

Note: If Sensor Auto-Upgrade is enabled, the service to check is cwp.service. 

Systemd example:

systemctl status cwp.service

Confirm the agent has network connectivity 

Run:

nc -z any_arbitrary_bucket.s3.amazonaws.com 443

You may need to install the nc command first if it isn’t installed yet. If there is no printed result from the command, then the required network connectivity is available.

Confirm the agent has initialized 

Run:

file /opt/redcanary/spool

This directory is created upon the first upload attempt. It is emptied when an upload succeeds, so there may be no contents. If it contains many entries, there may be a problem uploading telemetry. One or two entries that are present for a short time may appear during normal operation.

Manually stop the agent

If you need to manually stop the agent, run:

sudo systemctl stop cfsvcd

If your distribution uses Upstart, run:

sudo initctl stop cfsvcd

If your distribution uses init, run:

sudo service cfsvcd stop

Note: If Sensor Auto-Upgrade is enabled, the service to stop is cwp.service. 

Systemd example:

systemctl stop cwp.service

Manually start the agent

If you need to manually start the agent, run:

sudo systemctl start cfsvcd

If your distribution uses Upstart, run:

sudo initctl start cfsvcd

If your distribution uses init, run:

sudo service cfsvcd start

Note: If Sensor Auto-Upgrade is enabled, the service to start is cwp.service. 

Systemd example:

systemctl start cwp.service

Enable Safe Mode

If you need to manually enable Safe Mode through the command line, run:

/opt/redcanary/cfctl safe --enable

Disable Safe Mode

To disable Safe Mode and return the agent to normal operation through the command line, run:

/opt/redcanary/cfctl safe --disable