Deploy and Verify Endpoint Agents

This section provides instruction on how to deploy and verify agents.

Note: By default, the agent is installed in the Insights mode. Depending on the policy assigned, the agent can operate in Insights or Advanced mode. Make sure you review the policy before deploying the agent. For more information, see NetWitness Endpoint Configuration Guide.

Deploying Agents (Windows)

To deploy the agent, run the nwe-agent-package.exe file on the hosts you want to monitor.

Verifying Windows Agents

After deploying the Windows agents, you can verify if a Windows agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Hosts view contains the list of all hosts with an agent. You can look for the host name on which the agent is installed.

    Note: Click Hosts or press F5 to refresh the list for latest data.

  • Using Task Manager

    Open Task Manager and look for service name that you configured while generating the agent packager on the host machine.

  • Using Services.msc

    Open Services.msc in run and look for the service name that you configured while generating the agent packager on the host machine.

Deploying Agent (Linux)

To deploy the agent on the hosts you want to monitor:

RPM based Linux

Run the nwe-agent.x86_64.rpm (for 64-bit) file. To run the command, open Terminal on the Linux machine and run the following command as root:

rpm -iv <installer file name>.rpm

For example, using the default installer file names, you can enter one of the following command:

rpm -iv nwe-agent.x86_64.rpm (for x86_64 architecture)

Note: To upgrade RPM based Linux agents, run rpm -Uvh nwe-agent.x86_64.rpm.

 

Debian based Linux

Run the nwe-agent.x86_64.deb (for 64-bit) file. To run the command, open Terminal on the Linux machine and run the following command as root:

dpkg -i <installer file name>.deb

For example, using the default installer file name, you can enter the following command:

dpkg -i nwe-agent.x86_64.deb (for x86_64 architecture)

(Enter the administrator password when prompted.)

Note: To upgrade Debian based Linux agents, run dpkg -i nwe-agent.x86_64.deb.

Verifying Linux Agents

After deploying the Linux agents, you can verify if a Linux agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Hosts view contains the list of all hosts with an agent.

    Note: Click Hosts or press F5 to refresh the list for latest data.

  • Using Command Line

    Run the following command to get the PID:

    pgrep nwe-agent

  • To check the NetWitness Endpoint version, run the following command:

    cat /opt/rsa/nwe-agent/config/nwe-agent.config | grep version

Deploying Agent (Mac)

To deploy the agent, run the nwe-agent.pkg file on the hosts you want to monitor. On macOS version Catalina (10.15) and higher, you need to move the nwe-agent.pkg file to a folder with sufficient access privileges (e.g., /tmp) and install the agent from there.

Verifying Mac Agents

After deploying the Mac agents, you can verify if a Mac agent is running by using any of the following methods:

  • Using the NetWitness UI

    The Hosts view contains the list of all hosts with an agent.

    Note: Click Hosts or press F5 to refresh the list for the latest data.

  • Using Activity Monitor

    Open Activity Monitor (/Applications/Utilities/Activity Monitor.app) and look for NWEAgent.

  • Using Command Line

    Run the following command to get the PID

    pgrep NWEAgent

  • To check the NetWitness Endpoint version, run the command:

    grep a /var/log/NWEAgent.log | grep NWEAgent | grep Version