Alert Logic Universal Agent release notes
Release date: December 10, 2024 - Agent Version 2.26.0
Functional improvements
- Line breaks in Windows event log messages are preserved to aid in the development of future analytics.
- The collection method of FIM Windows registry events is improved, allowing for detailed event metadata, including specific key and value names modified.
Bug fixes
- The remotely updated Windows master executable is no longer started with below-normal priority, fixing service start timeouts.
- Downloaded update installer files are now deleted after successful installation.
Release date: June 4, 2024 - Agent Version 2.25.0
Functional improvements
- Agent-assisted decryption support for IDS
Bug fixes
- Fixed starvation of some syslog & container log sockets on high load
- Fixed blocking of syslog, container log, and traffic capture sockets by long-running host metadata refreshes
- Fixed dependence on Content-Length headers for non-identity encodings in HTTP(S) downloads
- Dropped "After=syslog.target" from systemd unit files
Release date: March 5, 2024 - Agent Version 2.24.1
Bug fixes
- Fixed the loss of syslog batch queue on Linux file systems other than ext* and btrfs
- Revised os_details metadata collection logic for modern Window versions
- Prevent EvtRender() and EvtOpenPublisherMetadata() API errors from stalling event log collection
- Support UTF-8 event log message resources introduced in Windows 11
- Avoid resending already sent syslog batches on agent reclaim (respect skip_historical flag in syslog collector)
- Fixed startup crash on invalid LANG or LC_ALL locale strings
- Fixed intermittent failures reading output from child processes (occasionally breaking agent-based scans)
- Reduced memory usage in updater (avoiding downloading entire files to memory)
- Use GetNamedSecurityInfo() instead of GetSecurityInfo() in FIM to avoid opening monitored files
- Added agent-based scan timeouts (prevent hung subprocesses from indefinitely stalling scans)
- Avoided loading system-wide osquery extensions and config for agent-based scans
- Increased the number of handled containers per host from 170-340 to 500-1000 (depending on container runtime)
- Updated statically linked dependencies
Release date: January 26, 2023 - Agent Version 2.24.0
Functional improvements
- Added support for container log collection in Fargate ECS deployments
Bug fixes
- Fixed the loss of final log batch on al-agent-container shutdown
- Fixed the unexpected loss of FIM and scan data transport during temporary loss of control connection
Release date: October 28, 2022 - Container image only
Functional improvements
- Added ARM64 (aarch64) version of al-agent-container; both version and latest tags are now multi-arch
Bug fixes
- Fixed several Go runtime vulnerabilities due to outdated docker client binary in the container
Release date: June 30, 2022 - Agent Version 2.23.0
Functional improvements
- Added the option to preserve original syslog message timestamps, where present and valid, rather than replacing them with the message receipt time
- Added subsecond-precision timestamp support. Log
Bug fixes
- Fixed syslog collector message parsing for several non-standard header formats
Release date: March 22, 2022 - Agent Version 2.22.1
Bug Fixes
- Updated statically linked OpenSSL version to 1.1.1n
- Rebuilt OpenSSL to use /dev/urandom in preference to /dev/random (as in versions before 2.20.2) since the latter may block indefinitely on some types of virtual machines
- Fixed silently ignoring read errors on flat file collection resumption (which used to result in recollection in some cases)
- Implemented graceful handling of Windows range lock violation errors in flat file collector where possible (avoiding spurious errors)
- Fixed Windows flat file collector health status message when no files are present in the configured directory (warning instead of error)
Release date: January 6, 2022 - Agent Version 2.22.0
Functional improvements
-
Added ARM64 (aarch64) agent builds for Linux running glibc 2.17 or newer, including support for AWS Graviton (t4g, c6g, m6g, etc) instance types. Supported operated systems and processor types may be found here: Requirements for the Alert Logic Agent
Bug fixes
- Fixed container metadata reporting (image id being reported incorrectly) for cri-o powered container hosts (OpenShift, OKD)
- Fixed premature container log collector disconnection for cri-o powered container hosts
- Fixed pollution of systemd journal with debug output from the agent
Release date: December 16, 2021 - Agent Version 2.21.0
Functional Improvements
- Integration with Linux-based CRI engines (containerd, cri-o) for metadata extraction, traffic and log capture
- Fixed pollution of systemd journal with debug output from the agent
Bug fixes
- Fixed container log corruption when log drivers other than json-file and journald are used
- Fixed loss of container logs when stream sockets are prematurely closed by the container engine
Release date: November 4, 2021 - Agent Version 2.20.3
Bug Fixes
- Fixed possible non-Unicode characters in agent status and metadata (which can silently stall data collection)
- Fixed pollution of systemd journal with debug output from the agent
Release date: October 21, 2021 - Agent Version 2.20.2
Bug Fixes
- Scan tools and updates directories are now properly cleaned on uninstall and reinstall
- Starting the remote syslog collector via /etc/init.d/al-log-syslog in the presence of systemd starts the systemd service as intended (instead of starting the collector directly)
- Provisioning certificates now use sha256 signature and access to prov_key.pem is restricted to administrators for compliance reasons
- Worked around a package install problem on systems that don't provide proper systemd-sysv-install by default but still compile systemd with SysV support, e.g. SLES 15
- Added type labels for agent install directories to allow the agent to work with default selinux policies on RHEL/CentOS 8
- Release rpm and deb packages now have PGP signatures; public key is available at https://scc.alertlogic.net/software/al-agent-pkg-key.asc
- Fixed a crash on shutdown when the shutdown occurs before an initial controller connection is established
- Updated statically linked dependencies
- Linux versions now set the collector processes to low priority consistently with Windows versions
- The --host-type (-t) option is now persisted by the 'configure' command and can be supplied as HOST_TYPE to the MSI package
- The collect-responses.log file generated by the syslog collector is no longer opened in append mode to avoid generating spurious errors in restricted environments
- Fixed event log recollection for cloned instances or those restored from backups
- Removed period randomization in between scan task executions to make agent-based scan results more predictable
- Fixed a race condition and busy loops in the master agent when a child process is crashing repeatedly
Release date: May 27, 2021 - Agent Version 2.20.1
Bug Fixes
- Enabled stricter hostname validation for syslog messages, so that program name, pid or message id no longer ends up in the hostname field.
- Maximum log message size has been increased from 32/64 to 750 KB to prevent truncation of large messages
- Fixed inconsistent message truncation for oversize syslog messages
- Fixed syslog collector occasionally producing oversize batches rejected by lmcollect, due to having only message-count (but not byte-size) limit per batch
- Fixed uninitialized variable use on certain error conditions when running external processes
Release date: May 6, 2021 (statemonitor component only) - Agent Version 2.20.0
Features
- Support for agent-based scan tasks
- Support for pausing and resuming scheduled tasks and avoid resetting task schedules on config updates
Release date: December 17, 2020 - Agent Version 2.19.0
Features
Support for ECS task metadata service in AWS Fargate (introducing autoclaim and container+image assets in this environment)
Release date: November 19, 2020 - Agent Version 2.18.0
Features
Enabled compression for all ingest data types except hostmeta (most notably fimdata)
Bug fixes
- Added mitigations against possible repeated installation of Npcap, resulting in interruption of network connectivity on the affected hosts
- Fixed unexpected Windows file locking in FIM interfering with other applications
- Fixed consistently incorrect file SHA-1 hash computation in FIM
Release date: October 29, 2020 - Agent Version 2.17.2
Features
Updated the Windows installer logos and file icons to follow the new branding.
Bug fixes
Fixed a potential use-after-free crash or misbehavior triggered by thread termination in Linux agent versions.
Release date: September 29, 2020 - Agent Version 2.17.1
Bug fixes
- Updated Npcap installer from version 0.993 to 0.9997 to mitigate incomplete pcap installations and blue screens.
- Fixed incorrect host IP address being occasionally selected during container loopback (Istio) packet capture.
Release date: September 1, 2020 - Agent Version 2.17.0
Bug fixes
FIM agent now sends information on file owner, group, attributes, and permissions.
Release date: July 9, 2020 - Agent Version 2.16.0
Features
- Agents running in AWS WorkSpaces will send extra network interface and account info in claim and host metadata, allowing future support for autoclaim.
- In AWS EC2, the agent will use v2 metadata (requiring access token) where v1 access is disabled.
Bug fixes
The agent no longer sends invalid DC claim metadata, which prevented some agents from provisioning in MDR DC deployments since v2.14.0. Affected hosts cannot be updated remotely and should be remediated manually, as unclaimed agents are not eligible for remote updates.
Release date: June 25, 2020 - Agent Version 2.15.0
Features
Added FIM support for exclusions and recursive directory tree watchers.
Bug fixes
Fixed duplicate generation of registry events on 32-bit Windows systems.
Release date: June 16, 2020 - Agent Version 2.14.0
Features
The Alert Logic Agent Container includes an Istio detector to inspect the traffic between your containers. To learn more about Istio support, see Istio Support for Containers.
Bug fixes
Refined version 2.13.1 workaround for Npcap spontaneously stopping capture with all packets counted as dropped, allowing it to detect occasional cases it previously missed.
Release date: May 28, 2020 - Agent Version 2.13.2
Bug fixes
- Fixed system performance degradation triggered by IDS agent over time due to resource leaks of varying severity in Npcap and WinPcap implementations of pcap_findalldevs(). The agent no longer relies on this API.
- Rolled back Npcap installer from 0.9990 back to 0.993 due to new user-reported system stability problems introduced by newer version.
Release date: April 21, 2020 - Agent Version 2.13.1
Bug fixes
- Added workaround for Npcap spontaneously stopping capture with all packets counted as dropped.
- Updated Npcap installer from version 0.993 to 0.9990 to mitigate incomplete pcap installations.
Release date: March 31, 2020 - Agent Version 2.13.0
Bug fixes
- Docker metadata extraction no longer hangs the agent if it happens when the docker daemon is starting up.
- File name filters for flat file discovery requests are no longer case sensitive on Windows.
Release date: February 13, 2020 – Agent Version 2.12.0
Features
Flat file stream discovery functionality needed for application-based flat file collection introduced with Managed Detection and Response log feature.
Bug fixes
- Collection from non-existing flat files in a directory now produces a consistent warning status as opposed to warning or error depending on state.
- When a flat file collection directory is initially empty, subsequent addition of files to that directory results in collection from their beginning rather than from the current position on first observation.
Release date: December 5, 2019 – Agent Version 2.11.1
Bug fixes
- Windows metadata extraction now discovers all available IP addresses.
- Docker container packaging of the agent (al-agent-container) no longer tries to collect the logs of its own agent into the account of the customer.
- The agent no longer loses the configuration when clearing the ingest transport configuration from the controller and then resetting it to the same value.
Release date: July 23, 2019 – Agent Version 2.9.10 (event log collector only)
Bug fixes
- Fixed resource DLL cache leaks after load errors.
- Fixed invalid parameter errors for resource DLLs in default search path.
- Fixed spurious errors from trying to open event logs we are not going to collect (disabled or analytic/debug).
Release date: July 2, 2019 – Agent Version 2.9.9
Bug fixes
- Disabled the usage of SNI header in TLS connections, which caused some proxies to route agent requests to incorrect data centers.
- Master agent periodically retries restarts of crashed collectors if such restarts fail, instead of leaving them stopped.
- Fixed incorrect formatting of event log messages with certain patterns and publishers.
- Fixed collection of non-ASCII event log stream names.
- TM appliance agent periodically retries configuring the balancer framework if this fails.
Release date: May 21, 2019 – Agent Version 2.9.8
Bug fixes
Fixed memory leak in metadata transport procedure, causing master agent to exceed the memory limits defined for ECS and Kubernetes jobs with frequently updated metadata.
Release date: April 30, 2019 – Agent Version 2.9.7
Bug fixes
- Updated Npcap installer from version 0.99-r7 to 0.993 to support Windows versions 1809 and above.
- Fixed handling of configuration items larger than 8 KB (e.g. long whitelists), which previously resulted in config failures and no service on Windows.
Release date: April 26, 2019 – Agent Version 2.9.6
Bug fixes
Fixed expired code signing certificate for Windows exes and package.
Release date: March 12, 2019 – Agent Version 2.9.5
Features
Health errors and warning codes now use unique values, allowing them to be mapped unambiguously to remediation actions for Managed Detection and Response.
Release date: December 14, 2018 – Agent Version 2.9.4
Bug fixes
- Docker container log collection is now controlled by a separate policy setting, without depending on TCP collection policy setting.
- Fixed possible crash with too many connections and a problem with docker container socket re-use in the syslog collector.
Release date: November 16, 2018 – Agent Version 2.9.3
Features
The Windows version of the universal agent now installs Npcap OEM instead of WinPcap where needed (and supported). If already installed, the agent will work with either Npcap or WinPcap. Npcap is preferred if both are installed.
Release date: November 6, 2018 – Agent Version 2.9.2
Bug fixes
Fixed resource leak with Azure provisioning requests.
Release date: October 25, 2018 – Agent Version 2.9.1 (Managed Detection and Response only)
Features
Agents can now be claimed in Data Center deployments with Managed Detection and Response.
Release date: October 3, 2018 – Agent Version 2.9.0
Features
Added Docker container log collection support to the agent syslog collector. The agent automatically discovers new containers, opens their log streams, and forwards their logs to Log Manager.
Bug fixes
- Fixed intermittent syslog collector crashes against batches not closed cleanly by the previous instances.
- Improved large file support for flat file collectors on 32-bit Linux builds.
Release date: June 12, 2018 – Agent Version 2.8.2
Bug fixes
- Fixed intermittent agent freezes while extracting Docker metadata if a Docker container is being stopped at the same time.
- Protection goes into effect with fewer delays when multiple new Docker containers are spinning up in the same cluster.
- Default Kubernetes IP space is no longer reported as public in the agent metadata (additional RFC 6890 private IP ranges are classified as private).
Release date: May 31, 2018 – Agent Version 2.8.1
Bug fixes
Custom containerized deployments of the agent no longer cause it to crash if the agent container is not given a SYS_ADMIN capability or privileged mode. Privileged mode is still required for proper Docker integration.
Release date: May 17, 2018 – Agent Version 2.8.0
Features
- This release adds support for the ingest transport channel. The agent will receive and store ingest service transport configuration from the back-end controller and will transport the host metadata directly to the ingest service if possible, unless configured otherwise at install time.
- This release extends Azure metadata support. The agent will utilize the recently introduced Azure instance metadata service to collect additional metadata for Azure deployments.
- This release phases out the previous private PKI for TLS certificate chain validation, and replaces it with a public CA bundle and CN/SAN validation.
Release date: March 22, 2018 – Agent Version 2.7.0 (Docker container only)
Features
- Support for binding Docker container interfaces in Threat Manager agent, enabling raw container traffic inspection.
- Support for rich container metadata and non-bridged mode container IP address extraction
- Official Docker container packaging (al-agent-container)
Release date: March 15, 2018 – Agent Version 2.6.1
Bug fixes
- Event log collector no longer repeatedly crashes with eventlog resource DLLs compiled with newer versions of message compiler, including Windows version 1709 and above.
- Flat file collector no longer fails to parse dates out of file names if the date is not prefixed with a separator.
Release date: March 8, 2018 – Threat Manager Appliance Framework Version 4.2.1
Bug fixes
- Remediated an issue that can lead to duplicate post data in a deny log
- Remediated an issue that resulted in a memory leak
- Remediated an issue where the PWAF module would block the framework from functioning properly
Release date: October 20, 2017 – Agent Version 2.6.0
Bug fixes
Specifying backup controller host/port no longer triggers a bogus error state on fail-over
Features
- The Threat Manager agent no longer waits several minutes until its next check-in to fail over to other appliances in its assignment policy in case its preferred appliance is unavailable (fail-over happens without back-end intervention).
- A configured but freshly restarted Threat Manager agent no longer depends on the back-end availability to connect to appliances (locally cached config is used to connect to appliances immediately in assignment policy order, starting with the preferred appliance).
- Agent provisioning is more robust against intermittent or persistent failures (agents will now use limited retries for provisioning errors).
Release date: June 11, 2017 – Agent Version 2.5.1
Bug fixes
Amazon Inspector no longer detects the agent as a medium vulnerability due to the lack of stack security cookies in Linux executables.
Notice
Product Management authored a notification released to specific customers who had inquired about the vulnerability when it appeared in scanning reports.
Release date: April 13, 2017 – Agent Version 2.5.0
Features
Detection of container IP addresses for Universal Agent hosts running Docker (required in order to analyze traffic generated in Docker containers by Threat Manager appliances).
Release date: March 17, 2017 – Agent Version 2.4.1
Bug fixes
Removed a retry-loop logic bug which was causing very rapid connections to provisioning service and had the possibility of causing a provisioning outage.
Release date: March 16, 2017 – Agent Version 2.4.0
Features
Auto-claim functionality to Threat Manager and Log Manager appliances and agents deployed in converged AWSand Azure cloud environments. Agents and appliances deployed in such environments no longer require a provisioning key to claim.
Notice
Product Management authored two unique notification released to customers two weeks prior to the generally available release.
Release date: December 1, 2016 – Agent Version 2.3.6
Bug fixes
When an appliance goes down, Threat Manager agent fail-over to another appliance no longer takes too long.
Release date: August 18, 2016
Features
- The feature for Agent Alerting is specific to Threat Manager Agents, which have never had the ability to have alert rules associated with them to notify customers when service impacting issues occur. This new feature enables customers to use the Alert Logic console to configure alerts for their agents, and these alerts will notify customers when agents suffer the following conditions:
- Agent Health State changes to:
- Offline
- Error
- Agents cannot communicate with
- The appliance
- The backend
- Agent Health State changes to:
- The goal is to provide early indication of a problem so that it may be addressed as soon as possible. This feature is necessary because the Alert Logic NOC/TOC does not monitor the status of agents due to the nature of their behavior.
Changes
UI level changes with a new configuration UI to configure collection alerts for Threat Manager agents.
Notice
- Outreach should occur to existing customers who have mentioned the lack of this functionality. We should work to get a small number of those customers configured properly, and once complete, we should work on broader outreach to the rest of our Threat Manager customer base.
- Public marketing will be done for this feature.
Release date: August 11, 2016 – Agent Version 2.3.1
Bug fixes
- Updating master executable in older legacy (1.*) Threat Manager agent installations no longer quits the service without restarting it (losing the agent).
- Trying to update master executables to universal on an auto-scaling host running both legacy log and threat agents no longer results in both installations remaining active and appearing as clones.
Release date: April 5, 2016
Bug fixes
- Resolved issue with WSM customers seeing 0.0.0.0 source address for some messages.
- Improved several out-of-order and other packet handling scenarios (primarily for Web Security Manager).
- Added several statistics to logs for decrypted traffic.
Security
Release of several shared packages with Web Security Manager:
- al-threat-sensor-2.2.1-17
- al-tm-balancer-2.4.9
- al-tm-decrypter-2.2.72.g38bcc80-2