Alert Logic Universal Agent

December 2024

Version 2.26.0

December 10, 2024

Enhancements

  • Line breaks in Windows event log messages are preserved to aid in the development of future analytics.

  • The collection method of FIM Windows registry events is improved, allowing for detailed event metadata, including specific key and value names modified.

Fixes

  • The remotely updated Windows master executable is no longer started with below-normal priority, fixing service start timeouts.

  • Downloaded update installer files are now deleted after successful installation.

June 2024

Version 2.25.0

June 4, 2024

Enhancements

  • Agent-assisted decryption support for IDS.

Fixes

  • Fixed starvation of some syslog & container log sockets on high load.

  • Fixed blocking of syslog, container log, and traffic capture sockets by long-running host metadata refreshes.

  • Fixed dependence on Content-Length headers for non-identity encodings in HTTP(S) downloads.

  • Dropped "After=syslog.target" from systemd unit files.

March 2024

Version 2.24.1

March 5, 2024

Fixes

  • Fixed the loss of syslog batch queue on Linux file systems other than ext* and btrfs.

  • Revised os_details metadata collection logic for modern Window versions.

  • Prevent EvtRender() and EvtOpenPublisherMetadata() API errors from stalling event log collection.

  • Support UTF-8 event log message resources introduced in Windows 11.

  • Avoid resending already sent syslog batches on agent reclaim (respect skip_historical flag in syslog collector).

  • Fixed startup crash on invalid LANG or LC_ALL locale strings.

  • Fixed intermittent failures reading output from child processes (occasionally breaking agent-based scans).

  • Reduced memory usage in updater (avoiding downloading entire files to memory).

  • Use GetNamedSecurityInfo() instead of GetSecurityInfo() in FIM to avoid opening monitored files.

  • Added agent-based scan timeouts (prevent hung subprocesses from indefinitely stalling scans).

  • Avoided loading system-wide osquery extensions and config for agent-based scans.

  • Increased the number of handled containers per host from 170-340 to 500-1000 (depending on container runtime).

  • Updated statically linked dependencies.

January 2023

Version 2.24.0

January 26, 2023

Enhancements

  • Added support for container log collection in Fargate ECS deployments.

Fixes

  • Fixed the loss of final log batch on al-agent-container shutdown.

  • Fixed the unexpected loss of FIM and scan data transport during temporary loss of control connection.

October 2022

October 28, 2022 (Container image only)
Enhancements

  • Added ARM64 (aarch64) version of al-agent-container; both version and latest tags are now multi-arch.

Fixes

  • Fixed several Go runtime vulnerabilities due to outdated docker client binary in the container.

June 2022

Version 2.23.0

June 30, 2022

Enhancements

  • Added the option to preserve original syslog message timestamps, where present and valid, rather than replacing them with the message receipt time.

  • Added subsecond-precision timestamp support.

Fixes

  • Fixed syslog collector message parsing for several non-standard header formats.

March 2022

Version 2.22.1

March 22, 2022

Fixes

  • Updated statically linked OpenSSL version to 1.1.1n.

  • Rebuilt OpenSSL to use /dev/urandom in preference to /dev/random (as in versions before 2.20.2) since the latter may block indefinitely on some types of virtual machines.

  • Fixed silently ignoring read errors on flat file collection resumption (which used to result in recollection in some cases).

  • Implemented graceful handling of Windows range lock violation errors in flat file collector where possible (avoiding spurious errors).

  • Fixed Windows flat file collector health status message when no files are present in the configured directory (warning instead of error).

January 2022

Version 2.22.0

January 6, 2022

Enhancements

  • Added ARM64 (aarch64) agent builds for Linux running glibc 2.17 or newer, including support for AWS Graviton (t4g, c6g, m6g, etc) instance types. Supported operated systems and processor types may be found here: Requirements for the Alert Logic Agent.

Fixes

  • Fixed container metadata reporting (image id being reported incorrectly) for cri-o powered container hosts (OpenShift, OKD).

  • Fixed premature container log collector disconnection for cri-o powered container hosts.

  • Fixed pollution of systemd journal with debug output from the agent.

December 2021

Version 2.21.0

December 16, 2021

Enhancements

  • Integration with Linux-based CRI engines (containerd, cri-o) for metadata extraction, traffic and log capture.

  • Fixed pollution of systemd journal with debug output from the agent.

Fixes

  • Fixed container log corruption when log drivers other than json-file and journald are used.

  • Fixed loss of container logs when stream sockets are prematurely closed by the container engine.

November 2021

Version 2.20.3

November 4, 2021

Fixes

  • Fixed possible non-Unicode characters in agent status and metadata (which can silently stall data collection).

  • Fixed pollution of systemd journal with debug output from the agent.

October 2021

Version 2.20.2

October 21, 2021

Fixes

  • Scan tools and updates directories are now properly cleaned on uninstall and reinstall.

  • Starting the remote syslog collector via /etc/init.d/al-log-syslog in the presence of systemd starts the systemd service as intended (instead of starting the collector directly).

  • Provisioning certificates now use sha256 signature and access to prov_key.pem is restricted to administrators for compliance reasons.

  • Worked around a package install problem on systems that don't provide proper systemd-sysv-install by default but still compile systemd with SysV support (for example, SLES 15).

  • Added type labels for agent install directories to allow the agent to work with default selinux policies on RHEL/CentOS 8.

  • Release rpm and deb packages now have PGP signatures; public key is available at https://scc.alertlogic.net/software/al-agent-pkg-key.asc.

  • Fixed a crash on shutdown when the shutdown occurs before an initial controller connection is established.

  • Updated statically linked dependencies.

  • Linux versions now set the collector processes to low priority consistently with Windows versions.

  • The --host-type (-t) option is now persisted by the 'configure' command and can be supplied as HOST_TYPE to the MSI package.

  • The collect-responses.log file generated by the syslog collector is no longer opened in append mode to avoid generating spurious errors in restricted environments.

  • Fixed event log recollection for cloned instances or those restored from backups.

  • Removed period randomization in between scan task executions to make agent-based scan results more predictable.

  • Fixed a race condition and busy loops in the master agent when a child process is crashing repeatedly.

May 2021

Version 2.20.1

May 27, 2021

Fixes

  • Enabled stricter hostname validation for syslog messages, so that program name, pid or message id no longer ends up in the hostname field.

  • Maximum log message size has been increased from 32/64 to 750 KB to prevent truncation of large messages

  • Fixed inconsistent message truncation for oversize syslog messages

  • Fixed syslog collector occasionally producing oversize batches rejected by lmcollect, due to having only message-count (but not byte-size) limit per batch

  • Fixed uninitialized variable use on certain error conditions when running external processes

Version 2.20.0 (statemonitor component only)

May 6, 2021

New Features

  • Support for agent-based scan tasks.

  • Support for pausing and resuming scheduled tasks and avoid resetting task schedules on config updates.

December 2020

Version 2.19.0

December 17, 2020

New Features

  • Support for ECS task metadata service in AWS Fargate (introducing autoclaim and container+image assets in this environment).

November 2020

Version 2.18.0

November 19, 2020

New Features

  • Enabled compression for all ingest data types except hostmeta (most notably fimdata).

Fixes

  • Added mitigations against possible repeated installation of Npcap, resulting in interruption of network connectivity on the affected hosts.

  • Fixed unexpected Windows file locking in FIM interfering with other applications.

  • Fixed consistently incorrect file SHA-1 hash computation in FIM.

October 2020

Version 2.17.2

October 29, 2020

New Features

  • Updated the Windows installer logos and file icons to follow the new branding.

Fixes

  • Fixed a potential use-after-free crash or misbehavior triggered by thread termination in Linux agent versions.

September 2020

Version 2.17.1

September 29, 2020

Fixes

  • Updated Npcap installer from version 0.993 to 0.9997 to mitigate incomplete pcap installations and blue screens.

  • Fixed incorrect host IP address being occasionally selected during container loopback (Istio) packet capture.

Version 2.17.0

September 1, 2020

Fixes

  • FIM agent now sends information on file owner, group, attributes, and permissions.

July 2020

Version 2.16.0

July 9, 2020

New Features

  • Agents running in AWS WorkSpaces will send extra network interface and account info in claim and host metadata, allowing future support for autoclaim.

  • In AWS EC2, the agent will use v2 metadata (requiring access token) where v1 access is disabled.

Fixes

  • The agent no longer sends invalid DC claim metadata, which prevented some agents from provisioning in MDR DC deployments since v2.14.0. Affected hosts cannot be updated remotely and should be remediated manually, as unclaimed agents are not eligible for remote updates.

June 2020

Version 2.15.0

June 25, 2020

New Features

  • Added FIM support for exclusions and recursive directory tree watchers.

Fixes

  • Fixed duplicate generation of registry events on 32-bit Windows systems.

Version 2.14.0

June 16, 2020

New Features

  • The Alert Logic Agent Container includes an Istio detector to inspect the traffic between your containers. To learn more about Istio support, see Istio Support for Containers.

Fixes

  • Refined version 2.13.1 workaround for Npcap spontaneously stopping capture with all packets counted as dropped, allowing it to detect occasional cases it previously missed.

May 2020

Version 2.13.2

May 28, 2020

Fixes

  • Fixed system performance degradation triggered by IDS agent over time due to resource leaks of varying severity in Npcap and WinPcap implementations of pcap_findalldevs(). The agent no longer relies on this API.

  • Rolled back Npcap installer from 0.9990 back to 0.993 due to new user-reported system stability problems introduced by newer version.

April 2020

Version 2.13.1

April 21, 2020

Fixes

  • Added workaround for Npcap spontaneously stopping capture with all packets counted as dropped.

  • Updated Npcap installer from version 0.993 to 0.9990 to mitigate incomplete pcap installations.

March 2020

Version 2.13.0

March 13, 2020

Fixes

  • Docker metadata extraction no longer hangs the agent if it happens when the docker daemon is starting up.

  • File name filters for flat file discovery requests are no longer case sensitive on Windows.

February 2020

Version 2.12.0

February 13, 2020

New Features

  • Flat file stream discovery functionality needed for application-based flat file collection introduced with Managed Detection and Response log feature.

Fixes

  • Collection from non-existing flat files in a directory now produces a consistent warning status as opposed to warning or error depending on state.

  • When a flat file collection directory is initially empty, subsequent addition of files to that directory results in collection from their beginning rather than from the current position on first observation.

December 2019

Version 2.11.1

December 5, 2019

Fixes

  • Windows metadata extraction now discovers all available IP addresses.

  • Docker container packaging of the agent (al-agent-container) no longer tries to collect the logs of its own agent into the account of the customer.

  • The agent no longer loses the configuration when clearing the ingest transport configuration from the controller and then resetting it to the same value.

July 2019

Version 2.9.10 (Event Log Collector only)

July 23, 2019

Fixes

  • Fixed resource DLL cache leaks after load errors.

  • Fixed invalid parameter errors for resource DLLs in default search path.

  • Fixed spurious errors from trying to open event logs we are not going to collect (disabled or analytic/debug).

Version 2.9.9

July 2, 2019

Fixes

  • Disabled the usage of SNI header in TLS connections, which caused some proxies to route agent requests to incorrect data centers.

  • Master agent periodically retries restarts of crashed collectors if such restarts fail, instead of leaving them stopped.

  • Fixed incorrect formatting of event log messages with certain patterns and publishers.

  • Fixed collection of non-ASCII event log stream names.

  • TM appliance agent periodically retries configuring the balancer framework if this fails.

May 2019

Version 2.9.8

May 21, 2019

Fixes

  • Fixed memory leak in metadata transport procedure, causing master agent to exceed the memory limits defined for ECS and Kubernetes jobs with frequently updated metadata.

April 2019

Version 2.9.7

April 30, 2019

Fixes

  • Updated Npcap installer from version 0.99-r7 to 0.993 to support Windows versions 1809 and above.

  • Fixed handling of configuration items larger than 8 KB (e.g. long whitelists), which previously resulted in config failures and no service on Windows.

Version 2.9.6

April 26, 2019

Fixes

  • Fixed expired code signing certificate for Windows exes and package.

March 2019

Version 2.9.5

March 12, 2019

New Features

  • Health errors and warning codes now use unique values, allowing them to be mapped unambiguously to remediation actions for Managed Detection and Response.

December 2018

Version 2.9.4

December 14, 2018

Fixes

  • Docker container log collection is now controlled by a separate policy setting, without depending on TCP collection policy setting.

  • Fixed possible crash with too many connections and a problem with docker container socket re-use in the syslog collector.

November 2018

Version 2.9.3

November 16, 2018

New Features

  • The Windows version of the universal agent now installs Npcap OEM instead of WinPcap where needed (and supported). If already installed, the agent will work with either Npcap or WinPcap. Npcap is preferred if both are installed.

Version 2.9.2

November 6, 2018

Fixes

  • Fixed resource leak with Azure provisioning requests.

October 2018

Version 2.9.1 (Managed Detection and Response only)

October 25, 2018

New Features

  • Agents can now be claimed in Data Center deployments with Managed Detection and Response.

Version 2.9.0

October 3, 2018

New Features

  • Added Docker container log collection support to the agent syslog collector. The agent automatically discovers new containers, opens their log streams, and forwards their logs to Log Manager.

Fixes

  • Fixed intermittent syslog collector crashes against batches not closed cleanly by the previous instances.

  • Improved large file support for flat file collectors on 32-bit Linux builds.

June 2018

Version 2.8.2

June 12, 2018

Fixes

  • Fixed intermittent agent freezes while extracting Docker metadata if a Docker container is being stopped at the same time.

  • Protection goes into effect with fewer delays when multiple new Docker containers are spinning up in the same cluster.

  • Default Kubernetes IP space is no longer reported as public in the agent metadata (additional RFC 6890 private IP ranges are classified as private).

May 2018

Version 2.8.1

May 31, 2018

Fixes

  • Custom containerized deployments of the agent no longer cause it to crash if the agent container is not given a SYS_ADMIN capability or privileged mode. Privileged mode is still required for proper Docker integration.

Version 2.8.0

May 17, 2018

New Features

  • This release adds support for the ingest transport channel. The agent will receive and store ingest service transport configuration from the back-end controller and will transport the host metadata directly to the ingest service if possible, unless configured otherwise at install time.

  • This release extends Azure metadata support. The agent will utilize the recently introduced Azure instance metadata service to collect additional metadata for Azure deployments.

  • This release phases out the previous private PKI for TLS certificate chain validation, and replaces it with a public CA bundle and CN/SAN validation.

March 2018

Version 2.7.0 (Docker container only)

March 22, 2018

New Features

  • Support for binding Docker container interfaces in Threat Manager agent, enabling raw container traffic inspection.

  • Support for rich container metadata and non-bridged mode container IP address extraction.

  • Official Docker container packaging (al-agent-container).

Version 2.6.1

March 15, 2018

Fixes

  • Event log collector no longer repeatedly crashes with eventlog resource DLLs compiled with newer versions of message compiler, including Windows version 1709 and above.

  • Flat file collector no longer fails to parse dates out of file names if the date is not prefixed with a separator.

Version 4.2.1 - Threat Manager Appliance Framework

March 8, 2018

Fixes

  • Remediated an issue that can lead to duplicate post data in a deny log.

  • Remediated an issue that resulted in a memory leak.

  • Remediated an issue where the PWAF module would block the framework from functioning properly.

October 2017

Version 2.6.0

October 20, 2017

New Features

  • The Threat Manager agent no longer waits several minutes until its next check-in to fail over to other appliances in its assignment policy in case its preferred appliance is unavailable (fail-over happens without back-end intervention).

  • A configured but freshly restarted Threat Manager agent no longer depends on the back-end availability to connect to appliances (locally cached config is used to connect to appliances immediately in assignment policy order, starting with the preferred appliance).

  • Agent provisioning is more robust against intermittent or persistent failures (agents will now use limited retries for provisioning errors).

Fixes

  • Specifying backup controller host/port no longer triggers a bogus error state on fail-over.

June 2017

Version 2.5.1

June 11, 2017

Fixes

  • Amazon Inspector no longer detects the agent as a medium vulnerability due to the lack of stack security cookies in Linux executables.

NOTE: Product Management authored a notification released to specific customers who had inquired about the vulnerability when it appeared in scanning reports.

April 2017

Version 2.5.0

April 13, 2017

New Features

  • Detection of container IP addresses for Universal Agent hosts running Docker (required in order to analyze traffic generated in Docker containers by Threat Manager appliances).

March 2017

Version 2.4.1

March 17, 2017

Fixes

  • Removed a retry-loop logic bug which was causing very rapid connections to provisioning service and had the possibility of causing a provisioning outage.

Version 2.4.0

March 16, 2017

Fixes

  • Auto-claim functionality to Threat Manager and Log Manager appliances and agents deployed in converged AWSand Azure cloud environments. Agents and appliances deployed in such environments no longer require a provisioning key to claim.

NOTE: Product Management authored two unique notification released to customers two weeks prior to the generally available release.

December 2016

Version 2.3.6

December 1, 2016

Fixes

  • When an appliance goes down, Threat Manager agent fail-over to another appliance no longer takes too long.

August 18, 2016
New Features

  • The feature for Agent Alerting is specific to Threat Manager Agents, which have never had the ability to have alert rules associated with them to notify customers when service impacting issues occur. This new feature enables customers to use the Alert Logic console to configure alerts for their agents, and these alerts will notify customers when agents suffer the following conditions:

    • Agent Health State changes to:

      • Offline

      • Error

    • Agents cannot communicate with

      • The appliance

      • The backend

  • The goal is to provide early indication of a problem so that it may be addressed as soon as possible. This feature is necessary because the Alert Logic NOC/TOC does not monitor the status of agents due to the nature of their behavior.

Changes

  • UI level changes with a new configuration UI to configure collection alerts for Threat Manager agents.

NOTE:
  • Outreach should occur to existing customers who have mentioned the lack of this functionality. We should work to get a small number of those customers configured properly, and once complete, we should work on broader outreach to the rest of our Threat Manager customer base.
  • Public marketing will be done for this feature.
Version 2.3.1

August 11, 2016

Fixes

  • Updating master executable in older legacy (1.*) Threat Manager agent installations no longer quits the service without restarting it (losing the agent).

  • Trying to update master executables to universal on an auto-scaling host running both legacy log and threat agents no longer results in both installations remaining active and appearing as clones.

April 2016

April 5, 2016
Fixes

  • Resolved issue with WSM customers seeing 0.0.0.0 source address for some messages.

  • Improved several out-of-order and other packet handling scenarios (primarily for Web Security Manager).

  • Added several statistics to logs for decrypted traffic.

Security

  • Release of several shared packages with Web Security Manager:

    • al-threat-sensor-2.2.1-17

    • al-tm-balancer-2.4.9

    • al-tm-decrypter-2.2.72.g38bcc80-2

Back to Alert Logic Products