diff --git a/administration/agent.rst b/administration/agent.rst index 36bf12d..95bca25 100644 --- a/administration/agent.rst +++ b/administration/agent.rst @@ -3,8 +3,17 @@ ASGARD Agent Deployment ----------------------- -In order to register a new endpoint to the ASGARD Management Center, -download and install the ASGARD Agent on the system you want to register. +There are currently two modes of operation for the ASGARD Agent: + +- **Normal** - This is the default mode and allows usage of all ASGARD features. +- **Essential** - This is a lightweight mode which only allows THOR scanning + and Aurora deployment. + +Please note that the Agent in Essential Mode is a separate installer and +needs to be created in the :ref:`advanced/custom-agent:creating custom agent installers`. + +In order to connect a new endpoint to the ASGARD Management Center, +download and install the ASGARD Agent on the system you want to onboard. The ASGARD Agent can be directly downloaded from the Management Center login screen through the button ``Download Agent Installers``. A list @@ -43,12 +52,6 @@ endpoint shows up in the assets overview and is now ready to be managed and scan Accepting ASGARD Agent Requests -A registered agent will poll the Management Center at a given -interval between 10 seconds and 10 Minutes – depending on the number of -connected endpoints (see :ref:`advanced/performance:performance tuning` for -details). If your Management Center has scheduled a task for the endpoint (for example: -run THOR scan) it will be executed directly after the poll. - Windows Agent Deployment ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/administration/assets.rst b/administration/assets.rst index d4f6015..55b4401 100644 --- a/administration/assets.rst +++ b/administration/assets.rst @@ -34,37 +34,18 @@ individual ASGARD ID, their IP addresses and host names. Asset View By clicking the control buttons in the Actions column, you can start -a new scan, run a response playbook, open a command line or switch -the endpoints ping rate to a few seconds instead of a maximum of 10 minutes. - -.. figure:: ../images/mc_asset-actions.png - :alt: Asset Actions - - Available Actions (left to right): Run Scan, Run Task, - Connect To Remote Console, Show Timeline, Enable/Disable Fast Poll Mode +a new scan, run a response playbook, open a command line or browse the +remote file system. .. note:: - * The internal ping between the ASGARD agent and ASGARD is based on HTTPS not ICMP - * Depending on the user's role some of the control buttons may be disabled + * Depending on the user's role, some of the control buttons may be disabled * The ``Run Scan`` button might be greyed out in new installations - this is - because ASGARD did not download the THOR packages yet. You can either wait for a - few minutes, or see the chapter :ref:`administration/updates:updates of thor and thor signatures`, + because the ASGARD Management Center did not download the THOR packages yet. + You can either wait for a few minutes, or see the chapter + :ref:`administration/updates:updates of thor and thor signatures`, to trigger a download manually. -Column Visibility -^^^^^^^^^^^^^^^^^ - -Users can select various columns and adjust their view according to their -needs by clicking the gear wheel in the top right corner of any table. -You can toggle visibility of columns by clicking the icon next to the name. -You can also drag and drop the columns to change the order in the table view. - -.. figure:: ../images/mc_asset-columns.png - :alt: Asset Columns - - Available columns in Asset Management - Asset Labels ^^^^^^^^^^^^ diff --git a/administration/aurora.rst b/administration/aurora.rst index c4d5c2e..44d0e35 100644 --- a/administration/aurora.rst +++ b/administration/aurora.rst @@ -5,15 +5,15 @@ Aurora - Aurora is a lightweight endpoint agent that applies Sigma rules and IOCs on local event streams. - It uses Event Tracing for Windows (ETW) to subscribe to certain event channels. -- It extends the Sigma standard with so-called "response actions" that can get executed after a rule match -- It supports multiple output channels: the Windows Eventlog, a log file and remote UDP targets +- It extends the Sigma standard with so-called "response actions" that can get executed after a rule matches +- It supports multiple output channels: the Windows Eventlog, a log file and remote syslog. Its documentation can be found `here `_. Aurora Overview ~~~~~~~~~~~~~~~ Under ``Service Control`` > ``Aurora`` > ``Asset View (Deployed)`` the overview -of all assets with installed Aurora is shown. Clicking on the entry opens a +of all assets with Aurora installed can be seen here. Clicking on the entry opens a drop-down menu with details and additional information. .. figure:: ../images/mc_aurora-view-deployed.png @@ -113,7 +113,6 @@ Best Practices for Managing Aurora ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Install the ASGARD agent on the asset (see :ref:`administration/agent:asgard agent deployment`) -2. Install the ASGARD service controller on the asset (see :ref:`administration/service-control:service controller installation`) 3. Deploy the Aurora Service on the asset using the ``[Default] Standard configuration with critical and high Sigma rules`` 4. configuration (see :ref:`administration/aurora:deploy aurora on asset`) diff --git a/administration/download.rst b/administration/download.rst index c73ef36..0e27f47 100644 --- a/administration/download.rst +++ b/administration/download.rst @@ -20,8 +20,6 @@ the download token by disabling and then re-enabling it using ``New Download Tok .. figure:: ../images/mc_download-thor-package.png :alt: Generate THOR Package Download Link - Download THOR package and license workstation named 'WIN-CLI-DE-1234' - While selecting different options in the form, the download link changes. After you have generated a download token and have selected the @@ -41,15 +39,15 @@ anybody can download THOR from this ASGARD or can generate licenses. Incident Response license, you must provide it separately. -Use Case 1 - Share th URL without Hostname -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Use Case 1 - Share the URL without Hostname +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can generate download links without an included license by leaving the `hostname` field empty. A valid license (e.g. "Incident Response") must be placed in the program folder after the download and extraction. -Use Case 2 - Share th URL with Hostname -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Use Case 2 - Share the URL with Hostname +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ By including the hostname in the form, a license will be generated and included in the download package You can copy the final download @@ -83,4 +81,6 @@ scans on systems without an installed ASGARD agent. .. code-block:: powershell $Type = "server" + $Hostname = "server1" + $Token = "my-unique-token" $Download_Url = "https://asgard2.nextron:8443/api/v1/downloads/thor?os=windows&type=$($Type)&scanner=thor10%4010.6&signatures=signatures&hostname=$($Hostname)&token=$($Token)" diff --git a/administration/evidence.rst b/administration/evidence.rst index 86b5439..e1abe3c 100644 --- a/administration/evidence.rst +++ b/administration/evidence.rst @@ -3,9 +3,6 @@ Evidence Collection =================== -Collected Evidences -^^^^^^^^^^^^^^^^^^^ - ASGARD provides two forms of collected evidence: 1. Playbook output (file or memory collection, command output) diff --git a/administration/index.rst b/administration/index.rst index 7ecb475..00b806f 100644 --- a/administration/index.rst +++ b/administration/index.rst @@ -19,11 +19,11 @@ installing agents and performing routine tasks in the Web UI. scheduled-scan syslog response-control - service-control aurora sigma iocs evidence + thunderstorm download license updates diff --git a/administration/iocs.rst b/administration/iocs.rst index 2805235..ae5dc27 100644 --- a/administration/iocs.rst +++ b/administration/iocs.rst @@ -3,69 +3,45 @@ IOC Management ============== -Integrating Custom IOCs -^^^^^^^^^^^^^^^^^^^^^^^ - -The menu ``IOC Management`` gives you the opportunity to easily integrate custom signatures into your scans. - -In order to create your own custom IOC Group, navigate to ``IOC Management`` > ``IOCs`` -and click ``Add IOC Group`` in the upper right corner. Select a name and optionally a description for your IOC Group. - -.. figure:: ../images/mc_add-ioc-group.png - :alt: Add IOC Group - - Add IOC Group - -To add IOCs to this group, use the ``Show and edit IOCs in this IOC group`` -action. A side pane opens where you can click the ``Import IOCs`` button -to import your own signatures in any of THOR's IOC formats as files (e.g. -files for keyword IOCs, YARA files and SIGMA files). Refer to the -`THOR manual (custom signatures) `_ -for a complete list and file formats. Browse to the file you want -to add and click upload. This adds your IOC file to the default ruleset. +The ASGARD Management Center allows you to create and manage your own IOCs. +Those IOCs can be used with THOR and Aurora. -.. figure:: ../images/mc_import-iocs.png - :alt: Imported IOCs Overview +What's the difference between IOCs, IOC Groups, IOC Rulesets, and IOC Files? - Imported IOCs Overview +- IOCs: Define specific indicators that represent potential threats. Supports different + types of IOC detection, such as filenames like “some_malware.exe”, hashes like "4fef5e34…”, + YARA and Sigma rules, etc. -However, you can also click the ``Add IOC(s)`` button to add some IOCs -interactively. Select the type, score and description, enter some values -and click the ``Add IOC`` button. +- IOC Groups: Organise related individual IOCs into easily manageable groups. For example, + you can group various individual IOCs related to a "Mimikatz" attack (such as an IOC + that detects the presence of a file called “mm64c.exe”) under a single category. -.. figure:: ../images/mc_add-iocs.png - :alt: Add IOCs +- IOC Rulesets: IOC Rulesets combines multiple IOC Groups into a comprehensive set of rules. + With this, you can assemble a set of indicator groups to represent a specific threat + scenario. You can also apply your changes to your rulesets for streamlined and efficient threat detection. - Add IOCs +- IOC Files: Upload files containing your own IOCs that you can later use to add them + onto your own IOC Rulesets. -You can add those IOC Groups to IOC Rulesets which can be created in -the ``IOC Management`` > ``IOC Rulesets`` tab by clicking the ``Add Ruleset`` -button in the upper right corner. Select name and description and click the -``Add Ruleset`` button. - -.. figure:: ../images/mc_add-ioc-ruleset.png - :alt: Add Ruleset - - Add Ruleset - -After that, click on an entry in the table to expand it. There you -get information about all IOC Groups which have been added to this -ruleset. Additionally you can add or remove selected IOC Groups in -``IOC Management: IOCs`` by clicking one of the three buttons shown below. - -.. figure:: ../images/mc_add-remove-ioc-group.png - :alt: Buttons to Add/Remove IOC Groups +Integrating Custom IOCs +^^^^^^^^^^^^^^^^^^^^^^^ - Buttons to Add/Remove IOC Groups +The menu ``IOC Management`` gives you the opportunity to easily integrate custom signatures into your scans. -You can now add your IOC Group to the newly created IOC Ruleset. +In order to create your own custom IOC Group, navigate to ``IOC Management`` > ``IOCs`` +and click ``Add IOC`` in the upper right corner. Select a name and optionally a description for your IOC Group. +This will open a dialog which guides you through the creation of IOCs. -.. figure:: ../images/mc_add-ioc-group-to-ruleset.png - :alt: Add IOC Group to Ruleset +Every IOC has to belong to one IOC Group. One IOC Group can contain multiple IOCs. And finally, +one IOC Ruleset can contain many IOC Groups. - Add IOC Group to Ruleset +After you are finished with the creation of your IOCs, you will have to apply the +changes to the IOC Ruleset. You can do so by checking the box towards the end +of the dialog ("Apply changes on all affected rulesets immediately"), or by +setting the IOC Ruleset to "autocompile" (this can also be done during the dialog, +if you create a new IOC Ruleset). -This Ruleset can now be used in THOR scans. +Once you created a IOC Ruleset which contains IOCs, it can be used for scanning with THOR. .. figure:: ../images/mc_ioc-ruleset-thor-scan.png :alt: IOC Ruleset in THOR Scan @@ -74,7 +50,8 @@ This Ruleset can now be used in THOR scans. Anytime you add, remove or change IOCs within one of your IOC Groups, you have to recompile the IOC Ruleset. To do this, navigate to the -``IOC Rulesets`` page and click the "geard" icon in the Ruleset's row +``IOC Rulesets`` page and click the "gear" icon in the Ruleset's row. +You can optionally set IOS Rulesets to "Autocompile". .. figure:: ../images/mc_compile-ioc-ruleset.png :alt: Compile IOC Ruleset diff --git a/administration/license.rst b/administration/license.rst index cec4851..6eeafe0 100644 --- a/administration/license.rst +++ b/administration/license.rst @@ -13,7 +13,7 @@ particular system during its initial THOR scan. The screenshot below shows the licensing section of an ASGARD. -.. figure:: ../images/mc_asgard-licensing.png +.. figure:: ../images/mc_licensing.png :alt: ASGARD licensing ASGARD licensing @@ -39,4 +39,11 @@ The following systems require a server license in order to be scanned: The licenses are hostname based except for asset licenses. Asset licenses are issued for each accepted asset as soon as a response -action is performed (playbook or remote console access). \ No newline at end of file +action is performed (playbook or remote console access). + +Thunderstorm +^^^^^^^^^^^^ + +You can upload your THOR Thunderstorm license lower box of the +``Licenses`` view. Please note that the Thunderstorm license +needs to have the same hostname as the ASGARD system. \ No newline at end of file diff --git a/administration/response-control.rst b/administration/response-control.rst index 355a565..d0720fd 100644 --- a/administration/response-control.rst +++ b/administration/response-control.rst @@ -16,6 +16,16 @@ tasks can be: - Configure the asset's proxy - Move asset to another ASGARD +There are several other tasks which will appear in the Response Control +section, those include: + +* Directory Listing (Browse the file system) +* Log (view the ASGARD Agent Log) +* System Stats (view the system load) + +Those tasks can only be started from the Details view of an asset, +but appear here for audit purposes. + Opening a Remote Console on an endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -27,10 +37,8 @@ Management section and click the "command line" button in the Actions column. Opening a Remote Console from the Asset View -Depending on your configuration it may take between 10 seconds and 10 -minutes for the remote console to open. Please note that all actions -within the remote console are recorded and can be audited. All consoles -open with root or system privileges. +Please note that all actions within the remote console are recorded and +can be audited. All consoles open with root or system privileges. .. figure:: ../images/mc_open-remote-console.png :alt: Remote Shell diff --git a/administration/service-control.rst b/administration/service-control.rst deleted file mode 100644 index a6c4554..0000000 --- a/administration/service-control.rst +++ /dev/null @@ -1,38 +0,0 @@ -.. index:: Service Control - -Service Control -=============== - -Service Control is ASGARD's way of deploying real-time services on endpoints. -Currently there only exist the Aurora service. To use Aurora, the service -controller has to be installed on an asset. - -Service Controller Installation -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To install the ASGARD Service Controller on an asset, you need to install the ASGARD Agent -first. If you already have installed the ASGARD Agent and accepted the asset in your Management -Center, you can use the **"Install ASGARD Service Controller"** playbook to deploy the service -controller on an asset. Optionally you can manually download and execute the ``asgard2-service-controller`` -installer from the ASGARD downloads page. - -.. figure:: ../images/mc_install-sc.png - :alt: Install Service Controller - - Install Service Controller - -Service Controller Update -^^^^^^^^^^^^^^^^^^^^^^^^^ - -If an ASGARD update comes with a new service controller version, you need to update -the service controller on the already rolled-out assets. You can do this using an -"Update Agent" task. You can do that by either selecting one or multiple assets in the -``Assets`` view, or by creating a (scheduled) Group Task. - -.. figure:: ../images/mc_upgrade-sc.png - :alt: Update Service Controller - - Update Service Controller - -.. note:: - If you don't see the **Update Agent** module, you need to enable **Show Advanced Tasks** in ``Settings`` > ``Advanced`` diff --git a/administration/sigma.rst b/administration/sigma.rst index d5f3e55..34e2db2 100644 --- a/administration/sigma.rst +++ b/administration/sigma.rst @@ -3,7 +3,7 @@ Sigma ===== -Aurora is using Sigma in order to define detections. +THOR and Aurora are using Sigma in order to improve detections. What is Sigma ~~~~~~~~~~~~~ diff --git a/administration/status.rst b/administration/status.rst index 72eeb07..aff76d0 100644 --- a/administration/status.rst +++ b/administration/status.rst @@ -73,10 +73,10 @@ Available logs and their content: - Overall status of the Management Center, general errors and warnings * - Audit - Containing user login/logout and changes done over the UI - * - ASGARD Agent and Service Controller + * - ASGARD Agent - Status of the agents deployed on assets - * - ASGARD Agent and Service Controller Access Log - - Logs of agents and service controllers communicating with the Management Center + * - ASGARD Agent Access Log + - Logs of agents communicating with the Management Center * - THOR via Syslog - Received syslog events of THOR scans. Partial results if a scan did not complete * - THOR via Syslog (Scan Start, Licensing, Completion only) @@ -90,4 +90,8 @@ Available logs and their content: * - Aurora Simulated Response Actions - Only simulated response action events of Aurora * - Diagnostic Pack - - Button for generating and downloading a diagnostic pack that may be asked for by support \ No newline at end of file + - Button for generating and downloading a diagnostic pack that may be asked for by support + * - Backup & Restore + - Logs related to Backup & Restore activities + * - Thunderstorm + - Full Log output of the Thunderstorm service, including matches \ No newline at end of file diff --git a/administration/thunderstorm.rst b/administration/thunderstorm.rst new file mode 100644 index 0000000..8d03bc7 --- /dev/null +++ b/administration/thunderstorm.rst @@ -0,0 +1,86 @@ +.. index:: THOR Thunderstorm + +Thunderstorm +============ + +Since version 3.1 of the ASGARD Management Center, you can +enable THOR Thunderstorm directly on your ASGARD system. +This allows you to scan many unsupported endpoints with THOR +Thunderstorm. Please note that you need a valid THOR Thunderstorm +license to use this feature. The license has to be issued to +the same hostname as the ASGARD Management Center, since the +license is still host-based. + +For usage of Thunderstorm Collectors, please refer to ``Downloads`` > +``Thunderstorm``. + +.. figure:: ../images/mc_thunderstorm.png + :alt: Thunderstorm Overview Page + + Thunderstorm Overview Page + +The Thunderstorm Service listens only locally (127.0.0.1). Your +ASGARD Management Center is acting as a reverse proxy for the +Thunderstorm service. To see which ports are being used, +please have a look at the :ref:`requirements/network:Thunderstorm (optional)` +section. + +This also means you will see logs similar to the one below: + +.. code-block:: none + + Sep 30 12:57:28 asgard3.local THOR: Info: MODULE: Thunderstorm MESSAGE: Web service started at http://127.0.0.1:45329/ SCANID: thunderstorm + +This is normal behavior and does not indicate a problem. + +.. hint:: + The Thunderstorm API uses the same certificate as the + ASGARD Management Center Web UI (port 8443). Please see + :ref:`administration/additional:tls certificate installation` + for more information. + +Thunderstorm License +-------------------- + +To use Thunderstorm, you need a valid Thunderstorm license. +You can upload your license in the ``Licensing`` > ``Licenses`` +section of the ASGARD Management Center (``Upload License`` button). + + +.. figure:: ../images/mc_thunderstorm-license.png + :alt: Thunderstorm License + + Thunderstorm License + +.. hint:: + When you install a license for the first time, Thunderstorm + will start automatically. If you upload a new license, you + have to restart Thunderstorm manually. + +Thunderstorm Logs +----------------- + +The Thunderstorm service is meant to forward any findings to +the ASGARD Analysis Cockpit. If you want to inspect the findings +directly on the ASGARD Management Center, you can do so by +navigating to ``System Status`` > ``Logs`` > ``Thunderstorm``. + +.. figure:: ../images/mc_thunderstorm-logs.png + :alt: Thunderstorm Logs + + Thunderstorm Logs + +Thunderstorm configuration +-------------------------- + +You can change certain settings for Thunderstorm in the +the Thunderstorm overview page. Click the cog icon in the +top right corner to open the settings page. + +.. figure:: ../images/mc_thunderstorm-configuration.png + :alt: Thunderstorm Configuration + + Thunderstorm Configuration + +You can also stop and start the Thunderstorm service from +settings modal. \ No newline at end of file diff --git a/administration/uninstall.rst b/administration/uninstall.rst index 2bf5b5f..2d81b2d 100644 --- a/administration/uninstall.rst +++ b/administration/uninstall.rst @@ -19,15 +19,13 @@ Open a command prompt with administrative privileges and run the following comma .. code-block:: doscon :linenos: - C:\Windows\system32>sc stop asgard2-agent - C:\Windows\system32>sc delete asgard2-agent - C:\Windows\system32>sc stop asgard2-agent_sc - C:\Windows\system32>sc delete asgard2-agent_sc + C:\Windows\system32>C:\Windows\system32\asgard2-agent-service.exe stop + C:\Windows\system32>C:\Windows\system32\asgard2-agent-service.exe uninstall C:\Windows\system32>rmdir /S /Q C:\Windows\System32\asgard2-agent C:\Windows\system32>rmdir /S /Q C:\ProgramData\thor .. note:: - Line 3 and 4 are only necessary if the new service controller (on ASGARD 2.11+) has been installed. + Change `system32` to `SysWOW64` if you are running the agent on a x86 machine. The commands above will: @@ -56,28 +54,19 @@ Manual uninstall .. code-block:: console - root@host:~# /usr/sbin/asgard2-agent-amd64 stop - root@host:~# /usr/sbin/asgard2-agent-amd64 uninstall - root@host:~# rm -r /usr/sbin/asgard2-agent-amd64 - root@host:~# rm -r /var/tmp/nextron/asgard2-agent - root@host:~# rm -r /var/lib/nextron/asgard2-agent - root@host:~# rm -r /var/lib/thor + user@host:~$ sudo asgard2-agent-service stop + user@host:~$ sudo asgard2-agent-service uninstall + user@host:~$ sudo rm -r /usr/sbin/asgard2-agent-amd64 + user@host:~$ sudo rm -r /var/tmp/nextron/asgard2-agent + user@host:~$ sudo rm -r /var/lib/nextron/asgard2-agent + user@host:~$ sudo rm -r /var/lib/thor Uninstall ASGARD Agents on macOS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: console - user@mac:~$ sudo /var/lib/asgard2-agent/asgard2-agent --uninstall + user@mac:~$ sudo asgard2-agent-service stop + user@mac:~$ sudo asgard2-agent-service uninstall user@mac:~$ sudo rm -r /var/lib/asgard2-agent/asgard2-agent user@mac:~$ sudo rm -r /var/lib/thor - -Uninstall ASGARD Service Controller ------------------------------------ - -If you only want to uninstall the ASGARD Service Controller (Aurora), -but leave the normal ASGARD Agent as it is, execute the following command: - -.. code-block:: doscon - - C:\Windows\system32>C:\Windows\System32\asgard2-agent\asgard2-agent_sc.exe -uninstall diff --git a/advanced/backup-restore.rst b/advanced/backup-restore.rst index 2a4d51b..b33e7e2 100644 --- a/advanced/backup-restore.rst +++ b/advanced/backup-restore.rst @@ -1,12 +1,16 @@ .. index:: Backup and Restore -Backup and Restore -================== +Backup and Restore (deprecated) +=============================== + +.. warning:: + This section of the manual is deprecated and will be removed in a future release. + Please use the :ref:`maintenance/backup-restore:backup & restore` section. All of our ASGARD servers come with predefined backup and restore scripts. You can use them to keep a backup available in case something stops working. -.. warning:: +.. hint:: If you are using a Management Center and Analysis Cockpit together, it is advised to create the backups at the same time. This avoids potential data inconsistencies across the two platforms. You can diff --git a/advanced/custom-agent.rst b/advanced/custom-agent.rst index 9a835ad..f543522 100644 --- a/advanced/custom-agent.rst +++ b/advanced/custom-agent.rst @@ -1,7 +1,7 @@ .. index:: Creating Custom Agent Installer -Creating Custom Agent Installer -=============================== +Creating Custom Agent Installers +================================ ASGARD supports creation of custom installers. Custom installers can be configured in a way so that agents show up with a preset label or with a diff --git a/advanced/index.rst b/advanced/index.rst index b3090e0..78cfbf4 100644 --- a/advanced/index.rst +++ b/advanced/index.rst @@ -10,7 +10,6 @@ some options could be helpful for your environment. .. toctree:: :caption: Contents - performance logs agents custom-agent diff --git a/advanced/logs.rst b/advanced/logs.rst index 84f2ac2..72126e0 100644 --- a/advanced/logs.rst +++ b/advanced/logs.rst @@ -3,7 +3,7 @@ Managing Logs ============= -ASGARD will store all logs under ``/var/lib/asgard-management-center/log`` +ASGARD will store all logs under ``/var/log/asgard-management-center/log`` All logs in this directory will be rotated and automatically cleared after 14 months, please see :ref:`maintenance/log:log rotation and retention` for more information. diff --git a/advanced/performance.rst b/advanced/performance.rst deleted file mode 100644 index 20b7af6..0000000 --- a/advanced/performance.rst +++ /dev/null @@ -1,82 +0,0 @@ -.. index:: Performance Tuning - -Performance Tuning -================== - -The ASGARD agents poll the Management Server server frequently for new tasks to execute. -The default polling interval depends on the number of connected endpoints. In -larger environments the polling interval increases dynamically up to 10 minutes -for a configuration with 25.000 endpoints connected to a single ASGARD. - -Additionally, ASGARD is configured to serve a maximum of 100 concurrent asset -connections and 25 concurrent asset streams. Asset connections are short polls -from the agent such as answering the question "do you have a new task for me?". -Asset streams are intense polls such as downloading THOR to the agent or -uploading scan results back to ASGARD. - -Requests that exceed the limits will receive an answer from ASGARD to repeat the -request after N seconds, where N is calculated based on the current load. - -This factory preset behavior insures your ASGARD stays stable and responsive even if your -ASGARD's system resources are limited. Furthermore, you most likely can't overload your -network or firewalls with high numbers of requests or downloads. - -In order to modify ASGARDs performance settings edit ``/etc/asgard-management-center/asgard.conf`` -and restart the ASGARD service. - -The default values are: - -.. list-table:: - :header-rows: 1 - :widths: 35, 65 - - * - Value - - Description - * - LoadConnMax=100 - - Max. concurrent „Busy Connections" - * - LoadStreamMax=25 - - Max. concurrent „Busy Streams" - * - PingRateMin=10 - - Polling Rate with 0 connected Assets (seconds) - * - PingRateMax=600 - - Polling Rate with 25000 connected Assets (seconds) - * - PingRateFast=5 - - Polling Rate for Assets in Fast Ping Mode (seconds) - -These values should work fine in most scenarios – regardless of the size -of the installation. However, you may want to decrease PingRateMax -in order to achieve a better responsiveness of your ASGARD infrastructure. - -Overloading ASGARD -^^^^^^^^^^^^^^^^^^ - -While temporary stream overloads are quite normal, connection overloads -should not happen. If they do, either adjust your PingRateMax, your LoadConnMax or both. - -ASGARD will indicate an overload with the "Connection Overload line" -and the "Stream Overload line" within the graphs in the overview -section (see picture below). If an ASGARD is in an overload situation -it will postpone connections and streams but will not lose or drop -tasks or be harmed in any way. ASGARD will recover to normal load automatically. - -.. figure:: ../images/asset-connections-and-streams1.png - :alt: Asset Connections and Asset Streams - - Asset Connections and Asset Streams - -Stream overloads can happen temporarily (e.g. if you schedule a grouped -scan or grouped task with an unlimited rate). The picture below -shows such a normal overload situation that was caused by starting -a grouped scan with an unlimited rate. This is the expected behavior. -ASGARD will manage the load automatically and postpone streams until -the load has returned to normal. - -.. figure:: ../images/asset-connections-and-streams2.png - :alt: Asset Streams in an overload situation - - Asset Streams in an overload situation - -The "Busy Streams" line indicates the number of streams currently active. -s you might have guessed, the picture above was taken on an ASGARD in -default configuration where the number of concurrent streams is set -to the default value of 25. \ No newline at end of file diff --git a/changelog/index.rst b/changelog/index.rst index 6cc1ba1..24acd74 100644 --- a/changelog/index.rst +++ b/changelog/index.rst @@ -10,4 +10,5 @@ Center version 3 and its components. .. toctree:: :caption: Contents - amc_log \ No newline at end of file + log1 + log0 \ No newline at end of file diff --git a/changelog/amc_log.rst b/changelog/log0.rst similarity index 94% rename from changelog/amc_log.rst rename to changelog/log0.rst index c9277b3..9b3ea8d 100644 --- a/changelog/amc_log.rst +++ b/changelog/log0.rst @@ -1,7 +1,5 @@ -Management Center v3 -==================== - -This chapter contains all the changes of the ASGARD Management Center. +Management Center v3.0 +====================== Management Center 3.0.16 ------------------------ diff --git a/changelog/log1.rst b/changelog/log1.rst new file mode 100644 index 0000000..9cfd72c --- /dev/null +++ b/changelog/log1.rst @@ -0,0 +1,130 @@ +Management Center v3.1 +====================== + +Management Center 3.1.5 +------------------------ + +Release Date: Tue, 22 Oct 2024 14:02:00 +0200 + +---- + +* Breaking Changes + + - The ASGARD Agent now also acts as the Service Controller. Existing Service Controller installations will be automatically put into sleep mode. Deployed Aurora Agents will still work as expected. (MC-517, MC-518) + +---- + +* Highlights + + - The ASGARD Agent will from now on receive new tasks in real time. (MC-202) + - The ASGARD Agent will from now on be able to run multiple tasks in parallel. (MC-202) + - With the new real time agent, there will also be a new field 'Status' in the asset table (online/offline). (MC-572) + - Added 'Essential Mode' to the ASGARD Agent, including only THOR and Aurora. It's ideal for critical systems where only the basic functionality is needed. (MC-573) + - New 'Managed Service' mode that will use an ASGARD Security Center to manage the asset's licenses on a per-tenant basis. (MC-2) + - Integrated THOR Thunderstorm into the ASGARD Management Center to scan samples sent from any device within the network. (MC-458) + - New agent module 'File Browser' that allows you to browse the file system of the ASGARD Agent. (MC-447) + +---- + +* Features + + - New agent module 'Sysstats' that allows you to view the system statistics such as CPU, RAM, and disk usage of the ASGARD Agent in real time. (MC-371) + - New agent module 'Log' that allows you to view and download the agent's log. (MC-574) + - Users can now be forced to use 2FA or change their password on the next login (MC-5) + - Bruteforce protection (MC-4) + - Users can now be temporarily disabled (MC-162) + - Backup and restore via UI (MC-247) + +---- + +* Improvements + + - IOC rulesets can now be configured to automatically recompile after changes (MC-46) + - New configuration option to use THOR for Server licenses for workstations once the THOR for Workstation licenses are exhausted (MC-77) + - Added more API endpoints to the API documentation page (MC-62) + - Replaced 'Resource Control' for THOR scans with more granular options like RAM and disk limits (MC-90) + - Added a new button to relaunch playbooks or scans (MC-117) + - Improved interrogate job for MacOS and Linux assets, e.g. collect installed software and local users (MC-123) + - Improved interrogate job to also collect network interface names and mac adresses (MC-393) + - Status of Master ASGARD now represents the status of the connected ASGARD Management Centers (MC-50) + - Created new 'Incoming requests' graphs in the Overview section (MC-561) + - Added new stop button to the group scans table, which will also stop all running tasks (MC-395) + - Store the used Aurora Agent version in the service table and show if the version is outdated (MC-74) + - Added revision numbers to IOC rulesets (MC-511) + - Added new delete button to the scheduled group tasks/scans table (MC-342) + - Added new edit button to the scheduled group scans table (MC-341) + - Improved and migrated the Agent API validators from the ASGARD Gatekeeper (MC-598) + - Added new column 'status' to the Sigma rules table (MC-68) + - Added new option to automatically remove Sigma rules from a ruleset if the rule's level has been changed and is under the configured level (MC-69) + - Added new columns 'failed' and 'successful' to the group tasks/scans table (MC-340) + - Added an option in the LDAP settings to use nested groups (MC-324) + +---- + +* UX + + - Improved charts and statistics in the Overview section (MC-345) + - Moved manuals to more prominent position (MC-32) + - Made 'not yet valid' licenses in License section visible in the default view (MC-36) + - Added ASGARD Query to Service Control section (MC-60) + - When update servers are not reachable, the user will now get a link to the ip adress list (MC-56) + - Max. runtime of '0' has been mistakenly described as 'unlimited' in some places. This has been corrected to '48 hours' (MC-82) + - Sigma rule update counter will be hidden in case no Aurora or LogWatcher is used (MC-95) + - Added filters to the ASGARD Agent Installers page (MC-112) + - When creating new playbooks, the user can now also define all steps in one go (MC-216) + - When creating a new playbook task, the user can now also create a new playbook on-the-fly (MC-354) + - The IOC Management section has been improved. There is now a new 'IOCs' section that contains all IOCs of all groups. When adding new IOCs, groups can now be added on-the-fly. (MC-214) + - Toggle visibility of IPv6 addresses in the asset table (MC-184) + - Added role descriptions in the Roles management (MC-173) + - Added prompt to several dialogs to confirm the action, e.g. when stopping a group scan (MC-174) + - Added auto complete to Asset Labels selection (MC-238) + - Improved colors of MISP tags (MC-320) + - Improved error messages when linking or synchronizing with Master ASGARD or Analysis Cockpit fails (MC-325) + - Enhanced security by preventing API endpoint leaks and using a more secure password hash algorithm. (MC-329, MC-442) + - Show 'update available' indicator in the sidebar for the Broker Network (MC-78) + - Improved overall usability in the Licensing section (MC-466) + - Custom IOCs in scan table are now clickable (MC-512) + - Fixed double scrollbar in some sections (MC-527) + - Use pretty names instead of raw flags when creating a new THOR scan (MC-557) + - Show connectivity status in the Analysis Cockpit settings page (MC-380) + - Hide MISP stuff if MISP is not configured (MC-399) + - Made the license expiration warning dependent on the license runtime (MC-57) + +---- + +* Security + + - Changed the authentication for Mariadb to not use SHA-1 based mysql_native_password. Thanks to Ianis BERNARD from NATO Cyber Security Centre (NCSC) for reporting this (MC-673) + +---- + +* Bugfixes + + - Fixed wrong file paths and names when collecting nested directories on Windows assets (MC-84) + - Fixed 'Started' and 'Duration' columns for THOR scans, especially when the scan has been resumed (MC-87) + - Fixed wrong expire date in the license expiration warning (MC-94) + - Deletion of Nextron's default Sigma rules returned success even if the deletion failed (MC-130) + - Fixed some non-working filters on the Master ASGARD (MC-45) + - Fixed description of allowed characters for ASGARD Agent Installer affix (MC-48) + - When deleting IOCs, the affected rulesets have not been marked as 'uncompiled changes' (MC-52) + - Fixed a race condition during synchronization with ASGARD Analysis Cockpit (MC-43) + - Fixed wrong dialog when disconnecting an ASGARD Gatekeeper (MC-136) + - Removed directories from the ASGARD Installer page (MC-240) + - Fixed some tooltip overlap issues (MC-261) + - Prevent creating IOC groups without a name (MC-285) + - Fixed a bug where the total count didn't match the actual search result (MC-281) + - Fixed a rare case where the THOR scan fails due to a not yet valid license (MC-327) + - Fixed some error messages, which were based on the endpoint's system language (MC-513) + - Fixed ASGARD Agent Installer repacker to not touch the /usr/share directory (MC-519) + - Fixed ASGARD Agent Installer repacker for AIX not working when also using agent obfuscation (MC-566) + - Fixed error message when trying to test compilation of custom IOCs (MC-404) + - Fixed short delay of first scan start in a group scan in case a rate limit is set (MC-445) + - Fixed error message when trying to unlink a MISP (MC-578) + +---- + +* Chore + + - Wordings (MC-61) + - Removed some deprecated playbooks like installation of the Service Controller or uninstalling the ASGARD 1 Agent (MC-328) + - Removed obsolete 'fast poll' mode from the ASGARD Agent (MC-468) \ No newline at end of file diff --git a/images/asgard_architecture.png.old b/images/asgard_architecture.png.old deleted file mode 100644 index e2b5b93..0000000 Binary files a/images/asgard_architecture.png.old and /dev/null differ diff --git a/images/asset-connections-and-streams1.png b/images/asset-connections-and-streams1.png deleted file mode 100644 index e2bcc7f..0000000 Binary files a/images/asset-connections-and-streams1.png and /dev/null differ diff --git a/images/asset-connections-and-streams2.png b/images/asset-connections-and-streams2.png deleted file mode 100644 index 2af5ee8..0000000 Binary files a/images/asset-connections-and-streams2.png and /dev/null differ diff --git a/images/master-asgard-amc013.png b/images/master-asgard-amc013.png deleted file mode 100644 index 7ebe803..0000000 Binary files a/images/master-asgard-amc013.png and /dev/null differ diff --git a/images/mc_add-ioc-group-to-ruleset.png b/images/mc_add-ioc-group-to-ruleset.png deleted file mode 100644 index 5d5ecd4..0000000 Binary files a/images/mc_add-ioc-group-to-ruleset.png and /dev/null differ diff --git a/images/mc_add-ioc-group.png b/images/mc_add-ioc-group.png deleted file mode 100644 index a60092e..0000000 Binary files a/images/mc_add-ioc-group.png and /dev/null differ diff --git a/images/mc_add-ioc-ruleset.png b/images/mc_add-ioc-ruleset.png deleted file mode 100644 index 04b755b..0000000 Binary files a/images/mc_add-ioc-ruleset.png and /dev/null differ diff --git a/images/mc_add-iocs.png b/images/mc_add-iocs.png deleted file mode 100644 index b8d330b..0000000 Binary files a/images/mc_add-iocs.png and /dev/null differ diff --git a/images/mc_add-remove-ioc-group.png b/images/mc_add-remove-ioc-group.png deleted file mode 100644 index 24a81fb..0000000 Binary files a/images/mc_add-remove-ioc-group.png and /dev/null differ diff --git a/images/mc_advanced-settings.png b/images/mc_advanced-settings.png index a4b16d2..36e0ddc 100644 Binary files a/images/mc_advanced-settings.png and b/images/mc_advanced-settings.png differ diff --git a/images/mc_asgard-licensing.png b/images/mc_asgard-licensing.png deleted file mode 100644 index 2f9eb34..0000000 Binary files a/images/mc_asgard-licensing.png and /dev/null differ diff --git a/images/mc_asset-actions.png b/images/mc_asset-actions.png deleted file mode 100644 index 113374a..0000000 Binary files a/images/mc_asset-actions.png and /dev/null differ diff --git a/images/mc_asset-columns.png b/images/mc_asset-columns.png deleted file mode 100644 index 0d9b725..0000000 Binary files a/images/mc_asset-columns.png and /dev/null differ diff --git a/images/mc_assets-view.png b/images/mc_assets-view.png index a28b9d9..4f99a4e 100644 Binary files a/images/mc_assets-view.png and b/images/mc_assets-view.png differ diff --git a/images/mc_backup-restore.png b/images/mc_backup-restore.png new file mode 100644 index 0000000..f08b492 Binary files /dev/null and b/images/mc_backup-restore.png differ diff --git a/images/mc_custom-agent-installer.png b/images/mc_custom-agent-installer.png index 2bbeba0..9559bce 100644 Binary files a/images/mc_custom-agent-installer.png and b/images/mc_custom-agent-installer.png differ diff --git a/images/mc_download-thor-package.png b/images/mc_download-thor-package.png index eca21ea..c790555 100644 Binary files a/images/mc_download-thor-package.png and b/images/mc_download-thor-package.png differ diff --git a/images/mc_import-iocs.png b/images/mc_import-iocs.png deleted file mode 100644 index 9805b47..0000000 Binary files a/images/mc_import-iocs.png and /dev/null differ diff --git a/images/mc_install-sc.png b/images/mc_install-sc.png deleted file mode 100644 index 9106569..0000000 Binary files a/images/mc_install-sc.png and /dev/null differ diff --git a/images/mc_licensing.png b/images/mc_licensing.png new file mode 100644 index 0000000..8cd8c5b Binary files /dev/null and b/images/mc_licensing.png differ diff --git a/images/mc_overview-1.png b/images/mc_overview-1.png index 96d4a27..045444a 100644 Binary files a/images/mc_overview-1.png and b/images/mc_overview-1.png differ diff --git a/images/mc_overview-2.png b/images/mc_overview-2.png index 85bf3ef..b9d261d 100644 Binary files a/images/mc_overview-2.png and b/images/mc_overview-2.png differ diff --git a/images/mc_thunderstorm-configuration.png b/images/mc_thunderstorm-configuration.png new file mode 100644 index 0000000..8f5b590 Binary files /dev/null and b/images/mc_thunderstorm-configuration.png differ diff --git a/images/mc_thunderstorm-license.png b/images/mc_thunderstorm-license.png new file mode 100644 index 0000000..23d949a Binary files /dev/null and b/images/mc_thunderstorm-license.png differ diff --git a/images/mc_thunderstorm-logs.png b/images/mc_thunderstorm-logs.png new file mode 100644 index 0000000..8ae0aee Binary files /dev/null and b/images/mc_thunderstorm-logs.png differ diff --git a/images/mc_thunderstorm.png b/images/mc_thunderstorm.png new file mode 100644 index 0000000..d352d21 Binary files /dev/null and b/images/mc_thunderstorm.png differ diff --git a/images/mc_upgrade-sc.png b/images/mc_upgrade-sc.png deleted file mode 100644 index 2b80bdf..0000000 Binary files a/images/mc_upgrade-sc.png and /dev/null differ diff --git a/images/troubleshooting-remove-registration.png b/images/troubleshooting-remove-registration.png deleted file mode 100644 index a63d176..0000000 Binary files a/images/troubleshooting-remove-registration.png and /dev/null differ diff --git a/maintenance/backup-restore.rst b/maintenance/backup-restore.rst new file mode 100644 index 0000000..48c0389 --- /dev/null +++ b/maintenance/backup-restore.rst @@ -0,0 +1,15 @@ +.. index:: Backup & Restore + +Backup & Restore +================ + +You can schedule, create, and restore backups of your ASGARD Management Center +from the ``Settings`` > ``Backup & Restore`` section. + +Additionally, if you have old backups which were created via SSH on the system, +you can upload them here as well. + +.. figure:: ../images/mc_backup-restore.png + :alt: Backup & Restore + + Backup & Restore \ No newline at end of file diff --git a/maintenance/index.rst b/maintenance/index.rst index ed513e6..2850c5d 100644 --- a/maintenance/index.rst +++ b/maintenance/index.rst @@ -9,5 +9,6 @@ can perform on your Management Center. .. toctree:: :caption: Contents + backup-restore log disk \ No newline at end of file diff --git a/maintenance/log.rst b/maintenance/log.rst index 1b2b08e..a4721ef 100644 --- a/maintenance/log.rst +++ b/maintenance/log.rst @@ -14,7 +14,7 @@ you can inspect ``/etc/logrotate.d/asgard-management-center``. Syslog Logs ~~~~~~~~~~~ -ASGARD will store all logs under ``/var/lib/asgard-management-center/log``. +ASGARD will store all logs under ``/var/log/asgard-management-center/``. This does not include the Scan Logs, as those are handled separately. If you require a longer retention period, please copy the oldest log @@ -31,7 +31,7 @@ modify the built-in rotation settings as this might interfere with ASGARD update - asgard-audit.log * - ASGARD Management Center - asgard.log - * - ASGARD Agent and Service Controller + * - ASGARD Agent - agent.log * - ASGARD Agent Access - agent-access.log @@ -41,6 +41,8 @@ modify the built-in rotation settings as this might interfere with ASGARD update - subscan.log * - Aurora - aurora-service.log + * - Thunderstorm + - thunderstorm.log If you want to forward those logs automatically to a dedicated server, you can set up :ref:`administration/additional:rsyslog forwarding`. Forwarded diff --git a/requirements/agent.rst b/requirements/agent.rst index 5623489..8031b71 100644 --- a/requirements/agent.rst +++ b/requirements/agent.rst @@ -4,9 +4,9 @@ Agent Requirements ------------------ The ASGARD Agent, which needs to be installed on endpoints, is a lightweight -service which is used to establish as secure connection with your Management +service which is used to establish a secure connection with your Management Center. Memory usage of the agent is around 50 MB, which makes it very unobtrusive. -THOR uses up to 1 GB of RAM additionally when scanning is in progress. This +THOR uses up to 1.5 GB of RAM additionally when scanning is in progress. This value will vary depending on the operating system THOR is running on. We observed lower RAM usage on unix systems all together, whereas Windows endpoints generally use more RAM. diff --git a/requirements/before.rst b/requirements/before.rst deleted file mode 100644 index 22b5ca3..0000000 --- a/requirements/before.rst +++ /dev/null @@ -1,49 +0,0 @@ -.. index:: Before you begin - -Before You Begin -================ - -This chapter contains high level information which will help -you plan and implement the ASGARD Management Center within -your existing environment. - -.. hint:: - Within this manual we might call the ASGARD Management Center - just ``ASGARD`` or ``Management Center`` for the sake of - simplicity. - -Agent to ASGARD Communication ------------------------------ - -There are a few things to consider before you start with the installation. -The communication between ASGARD and the ASGARD agent is unidirectional. -The ASGARD agent polls the in a given time frame and ask for tasks to -execute. There is no active triggering from ASGARD to the ASGARD agent – -we have designed it that way, because we believe that opening a port on -all connected endpoints should and can be avoided. - -Performance Considerations --------------------------- - -In environments with up to 500 endpoints, the default polling interval -is around 20 seconds. In larger environments the polling interval increases -automatically up to one minute for 2.000 endpoints and 10 minutes for -configurations with 25.000 endpoints connected to a single ASGARD. - -For this reason larger environments are not as responsive as small environments -when it comes to opening remote shells or executing urgent response -tasks. It may take up to 10 minutes for the shell to open or results of a -THOR scan to show up. Once a task is running, like the remote console for -example, the connection becomes almost instant. - -Most environments contain endpoints which need faster polling between the -agent and your ASGARD Management Center. For this reason we implemented a -``Fast Poll`` mode which can be set individually on a per host basis. For -more information, please see :ref:`administration/assets:asset overview`. - -Using a Proxy between ASGARD Agent and ASGARD ---------------------------------------------- - -ASGARD supports using a standard http proxy for the entire Agent to -ASGARD communication. In order to use a proxy, the ASGARD agent must -be repacked after installation. For details, see :ref:`advanced/custom-agent:creating custom agent installer`. \ No newline at end of file diff --git a/requirements/index.rst b/requirements/index.rst index 3a1f8e7..eeeb547 100644 --- a/requirements/index.rst +++ b/requirements/index.rst @@ -13,7 +13,6 @@ after the installation. :caption: Contents introduction - before hardware agent network diff --git a/requirements/introduction.rst b/requirements/introduction.rst index 7beb729..fa24d07 100644 --- a/requirements/introduction.rst +++ b/requirements/introduction.rst @@ -3,22 +3,23 @@ Introduction ============ -ASGARD Management Center is the central management platform for THOR scans. -It manages distributed THOR scans on thousands of systems, collects and -forwards scan results. +ASGARD Management Center is our central management platform for +`THOR `_ scans, +`Aurora `_ +for real time protection of your endpoints, custom playbooks, +or even Thunderstorm. It can manage distributed THOR scans on +thousands of systems, collecting and forwarding the scan results to our +`ASGARD Analysis Cockpit `_ +or your own SIEM. The ASGARD Management Center can control and execute complex response tasks -if needed. It features built-in response playbooks for quarantining endpoints -creating and collecting triage packs, opening live remote command prompts and -other actions incident response specialists will find useful. +if needed, opening live remote command prompts on your endpoints, or executing +other actions incident response specialists will find useful. Additionally, +it provides an easy to use interface for creating custom multi-step response +playbooks, which can execute any command on your endpoints and collect the respective outputs. -ASGARD additionally provides an easy to use interface for creating custom -multi-step response playbooks, which can execute any command on your endpoints -and collect the respective outputs. - -ASGARD Management Center is available as a virtual appliance and also as a -hardware appliance. Both are based on Debian Bullseye and require a setup procedure -in order to generate customized agent installers and cryptographic keys. +The ASGARD Management Center comes bundled with Debian on a custom ISO file +and can be deployed in many different ways. This document describes all functions and steps for the setup and operation of the ASGARD Management Center. It will describe how to add systems for scanning diff --git a/requirements/network.rst b/requirements/network.rst index 4d12cb3..865a5d2 100644 --- a/requirements/network.rst +++ b/requirements/network.rst @@ -82,11 +82,11 @@ following remote systems via HTTPS on port 443/tcp: * - Product - Remote Systems - * - ASGARD packages + * - ASGARD and system updates - update-301.nextron-systems.com - * - THOR updates + * - THOR, Aurora, and Signature updates - update1.nextron-systems.com - * - THOR updates + * - THOR, Aurora, and Signature updates - update2.nextron-systems.com All proxy systems should be configured to allow access to these URLs @@ -100,11 +100,11 @@ From Master ASGARD to ASGARD .. list-table:: :header-rows: 1 - :widths: 70, 30 + :widths: 60, 40 - * - Direction + * - Description - Port - * - From Master ASGARD to ASGARD Management Center + * - Management Backend - 5443/tcp You cannot manage ASGARD v3 systems from a Master ASGARD v2. @@ -123,6 +123,27 @@ From Management Workstation to Master ASGARD * - Command line administration - 22/tcp +Thunderstorm (optional) +^^^^^^^^^^^^^^^^^^^^^^^ + +The following ports are being used by Thunderstorm. +This is optional and only needed if you plan on using +Thunderstorm in your ASGARD. + +.. list-table:: + :header-rows: 1 + :widths: 50,50 + + * - Description + - Port + * - HTTPs + - 9443/tcp + * - HTTP + - 8080/tcp + +Please see chapter :ref:`administration/thunderstorm:Thunderstorm` +for more information. + Time Synchronization ^^^^^^^^^^^^^^^^^^^^ diff --git a/troubleshooting/agent-debugging.rst b/troubleshooting/agent-debugging.rst index 6dcee72..29de724 100644 --- a/troubleshooting/agent-debugging.rst +++ b/troubleshooting/agent-debugging.rst @@ -105,12 +105,3 @@ configuration files, and redeploy a fresh copy. * Linux: ``/var/lib/asgard2-agent/`` - To install the ASGARD agent, please follow the instructions in :ref:`administration/agent:asgard agent deployment`. - -It is also recommended to redeploy the ASGARD Service Controller. - -- To uninstall the ASGARD Service Controller, please follow the - instructions in :ref:`administration/uninstall:uninstall asgard service controller`. -- To install the ASGARD Service Controller, please follow the - instructions in :ref:`administration/service-control:service controller installation`. - You need to wait a few minutes until the asset is connected to your ASGARD - before you continue with this step. Please note that you might need to accept the ``Asset Request``. diff --git a/troubleshooting/diagnostics.rst b/troubleshooting/diagnostics.rst index c75057b..74062ea 100644 --- a/troubleshooting/diagnostics.rst +++ b/troubleshooting/diagnostics.rst @@ -16,5 +16,5 @@ You can generate a Diagnostic Package in ``Systems Status`` > ``Logs`` > The package can have a size that cannot be shared via Email. In this case you can either 1. ask us for an upload link (secure file sharing) or -2. remove big log files from the package (e.g. the file ``/var/lib/asgard-management-center/log/agent-access.log`` +2. remove big log files from the package (e.g. the file ``/var/log/asgard-management-center/agent-access.log`` is often responsible for 97% of the package size)