Alert Logic Universal Agent release notes
Release date: November 4, 2021 - Agent Version 2.20.3
- Fixed possible non-Unicode characters in agent status and metadata (which can silently stall data collection)
- Fixed pollution of systemd journal with debug output from the agent
Release date: October 21, 2021 - Agent Version 2.20.2
- Scan tools and updates directories are now properly cleaned on uninstall and reinstall
- Starting the remote syslog collector via /etc/init.d/al-log-syslog in the presence of systemd starts the systemd service as intended (instead of starting the collector directly)
- Provisioning certificates now use sha256 signature and access to prov_key.pem is restricted to administrators for compliance reasons
- Worked around a package install problem on systems that don't provide proper systemd-sysv-install by default but still compile systemd with SysV support, e.g. SLES 15
- Added type labels for agent install directories to allow the agent to work with default selinux policies on RHEL/CentOS 8
- Release rpm and deb packages now have PGP signatures; public key is available at https://scc.alertlogic.net/software/al-agent-pkg-key.asc
- Fixed a crash on shutdown when the shutdown occurs before an initial controller connection is established
- Updated statically linked dependencies
- Linux versions now set the collector processes to low priority consistently with Windows versions
- The --host-type (-t) option is now persisted by the 'configure' command and can be supplied as HOST_TYPE to the MSI package
- The collect-responses.log file generated by the syslog collector is no longer opened in append mode to avoid generating spurious errors in restricted environments
- Fixed event log recollection for cloned instances or those restored from backups
- Removed period randomization in between scan task executions to make agent-based scan results more predictable
- Fixed a race condition and busy loops in the master agent when a child process is crashing repeatedly
Release date: May 27, 2021 - Agent Version 2.20.1
- Enabled stricter hostname validation for syslog messages, so that program name, pid or message id no longer ends up in the hostname field.
- Maximum log message size has been increased from 32/64 to 750 KB to prevent truncation of large messages
- Fixed inconsistent message truncation for oversize syslog messages
- Fixed syslog collector occasionally producing oversize batches rejected by lmcollect, due to having only message-count (but not byte-size) limit per batch
- Fixed uninitialized variable use on certain error conditions when running external processes
Release date: December 17, 2020 - Agent Version 2.19.0
Support for ECS task metadata service in AWS Fargate (introducing autoclaim and container+image assets in this environment)
Release date: November 19, 2020 - Agent Version 2.18.0
Enabled compression for all ingest data types except hostmeta (most notably fimdata)
- Added mitigations against possible repeated installation of Npcap, resulting in interruption of network connectivity on the affected hosts
- Fixed unexpected Windows file locking in FIM interfering with other applications
- Fixed consistently incorrect file SHA-1 hash computation in FIM
Release date: October 29, 2020 - Agent Version 2.17.2
Updated the Windows installer logos and file icons to follow the new branding.
Fixed a potential use-after-free crash or misbehavior triggered by thread termination in Linux agent versions.
Release date: September 29, 2020 - Agent Version 2.17.1
- Updated Npcap installer from version 0.993 to 0.9997 to mitigate incomplete pcap installations and blue screens.
- Fixed incorrect host IP address being occasionally selected during container loopback (Istio) packet capture.
Release date: September 1, 2020 - Agent Version 2.17.0
FIM agent now sends information on file owner, group, attributes, and permissions.
Release date: July 9, 2020 - Agent Version 2.16.0
- Agents running in AWS WorkSpaces will send extra network interface and account info in claim and host metadata, allowing future support for autoclaim.
- In AWS EC2, the agent will use v2 metadata (requiring access token) where v1 access is disabled.
The agent no longer sends invalid DC claim metadata, which prevented some agents from provisioning in MDR DC deployments since v2.14.0. Affected hosts cannot be updated remotely and should be remediated manually, as unclaimed agents are not eligible for remote updates.
Release date: June 25, 2020 - Agent Version 2.15.0
Added FIM support for exclusions and recursive directory tree watchers.
Fixed duplicate generation of registry events on 32-bit Windows systems.
Release date: June 16, 2020 - Agent Version 2.14.0
The Alert Logic Agent Container includes an Istio detector to inspect the traffic between your containers. To learn more about Istio support, see Istio Support for Containers.
Refined version 2.13.1 workaround for Npcap spontaneously stopping capture with all packets counted as dropped, allowing it to detect occasional cases it previously missed.
Release date: May 28, 2020 - Agent Version 2.13.2
- Fixed system performance degradation triggered by IDS agent over time due to resource leaks of varying severity in Npcap and WinPcap implementations of pcap_findalldevs(). The agent no longer relies on this API.
- Rolled back Npcap installer from 0.9990 back to 0.993 due to new user-reported system stability problems introduced by newer version.
Release date: April 21, 2020 - Agent Version 2.13.1
- Added workaround for Npcap spontaneously stopping capture with all packets counted as dropped.
- Updated Npcap installer from version 0.993 to 0.9990 to mitigate incomplete pcap installations.
Release date: March 31, 2020 - Agent Version 2.13.0
- Docker metadata extraction no longer hangs the agent if it happens when the docker daemon is starting up.
- File name filters for flat file discovery requests are no longer case sensitive on Windows.
Release date: February 13, 2020 – Agent Version 2.12.0
Flat file stream discovery functionality needed for application-based flat file collection introduced with Managed Detection and Response log feature.
- Collection from non-existing flat files in a directory now produces a consistent warning status as opposed to warning or error depending on state.
- When a flat file collection directory is initially empty, subsequent addition of files to that directory results in collection from their beginning rather than from the current position on first observation.
Release date: December 5, 2019 – Agent Version 2.11.1
- Windows metadata extraction now discovers all available IP addresses.
- Docker container packaging of the agent (al-agent-container) no longer tries to collect the logs of its own agent into the account of the customer.
- The agent no longer loses the configuration when clearing the ingest transport configuration from the controller and then resetting it to the same value.
Release date: July 23, 2019 – Agent Version 2.9.10 (event log collector only)
- Fixed resource DLL cache leaks after load errors.
- Fixed invalid parameter errors for resource DLLs in default search path.
- Fixed spurious errors from trying to open event logs we are not going to collect (disabled or analytic/debug).
Release date: July 2, 2019 – Agent Version 2.9.9
- Disabled the usage of SNI header in TLS connections, which caused some proxies to route agent requests to incorrect data centers.
- Master agent periodically retries restarts of crashed collectors if such restarts fail, instead of leaving them stopped.
- Fixed incorrect formatting of event log messages with certain patterns and publishers.
- Fixed collection of non-ASCII event log stream names.
- TM appliance agent periodically retries configuring the balancer framework if this fails.
Release date: May 21, 2019 – Agent Version 2.9.8
Fixed memory leak in metadata transport procedure, causing master agent to exceed the memory limits defined for ECS and Kubernetes jobs with frequently updated metadata.
Release date: April 30, 2019 – Agent Version 2.9.7
- Updated Npcap installer from version 0.99-r7 to 0.993 to support Windows versions 1809 and above.
- Fixed handling of configuration items larger than 8 KB (e.g. long whitelists), which previously resulted in config failures and no service on Windows.
Release date: April 26, 2019 – Agent Version 2.9.6
Fixed expired code signing certificate for Windows exes and package.
Release date: March 12, 2019 – Agent Version 2.9.5
Health errors and warning codes now use unique values, allowing them to be mapped unambiguously to remediation actions for Managed Detection and Response.
Release date: December 14, 2018 – Agent Version 2.9.4
- Docker container log collection is now controlled by a separate policy setting, without depending on TCP collection policy setting.
- Fixed possible crash with too many connections and a problem with docker container socket re-use in the syslog collector.
Release date: November 16, 2018 – Agent Version 2.9.3
The Windows version of the universal agent now installs Npcap OEM instead of WinPcap where needed (and supported). If already installed, the agent will work with either Npcap or WinPcap. Npcap is preferred if both are installed.
Release date: November 6, 2018 – Agent Version 2.9.2
Fixed resource leak with Azure provisioning requests.
Release date: October 25, 2018 – Agent Version 2.9.1 (Managed Detection and Response only)
Agents can now be claimed in Data Center deployments with Managed Detection and Response.
Release date: October 3, 2018 – Agent Version 2.9.0
Added Docker container log collection support to the agent syslog collector. The agent automatically discovers new containers, opens their log streams, and forwards their logs to Log Manager.
- Fixed intermittent syslog collector crashes against batches not closed cleanly by the previous instances.
- Improved large file support for flat file collectors on 32-bit Linux builds.
Release date: June 12, 2018 – Agent Version 2.8.2
- Fixed intermittent agent freezes while extracting Docker metadata if a Docker container is being stopped at the same time.
- Protection goes into effect with fewer delays when multiple new Docker containers are spinning up in the same cluster.
- Default Kubernetes IP space is no longer reported as public in the agent metadata (additional RFC 6890 private IP ranges are classified as private).
Release date: May 31, 2018 – Agent Version 2.8.1
Custom containerized deployments of the agent no longer cause it to crash if the agent container is not given a SYS_ADMIN capability or privileged mode. Privileged mode is still required for proper Docker integration.
Release date: May 17, 2018 – Agent Version 2.8.0
- This release adds support for the ingest transport channel. The agent will receive and store ingest service transport configuration from the back-end controller and will transport the host metadata directly to the ingest service if possible, unless configured otherwise at install time.
- This release extends Azure metadata support. The agent will utilize the recently introduced Azure instance metadata service to collect additional metadata for Azure deployments.
- This release phases out the previous private PKI for TLS certificate chain validation, and replaces it with a public CA bundle and CN/SAN validation.
Release date: March 22, 2018 – Agent Version 2.7.0 (Docker container only)
- Support for binding Docker container interfaces in Threat Manager agent, enabling raw container traffic inspection.
- Support for rich container metadata and non-bridged mode container IP address extraction
- Official Docker container packaging (al-agent-container)
Release date: March 15, 2018 – Agent Version 2.6.1
- Event log collector no longer repeatedly crashes with eventlog resource DLLs compiled with newer versions of message compiler, including Windows version 1709 and above.
- Flat file collector no longer fails to parse dates out of file names if the date is not prefixed with a separator.
Release date: March 8, 2018 – Threat Manager Appliance Framework Version 4.2.1
- Remediated an issue that can lead to duplicate post data in a deny log
- Remediated an issue that resulted in a memory leak
- Remediated an issue where the PWAF module would block the framework from functioning properly
Release date: October 20, 2017 – Agent Version 2.6.0
Specifying backup controller host/port no longer triggers a bogus error state on fail-over
- The Threat Manager agent no longer waits several minutes until its next check-in to fail over to other appliances in its assignment policy in case its preferred appliance is unavailable (fail-over happens without back-end intervention).
- A configured but freshly restarted Threat Manager agent no longer depends on the back-end availability to connect to appliances (locally cached config is used to connect to appliances immediately in assignment policy order, starting with the preferred appliance).
- Agent provisioning is more robust against intermittent or persistent failures (agents will now use limited retries for provisioning errors).
Release date: June 11, 2017 – Agent Version 2.5.1
Amazon Inspector no longer detects the agent as a medium vulnerability due to the lack of stack security cookies in Linux executables.
Product Management authored a notification released to specific customers who had inquired about the vulnerability when it appeared in scanning reports.
Release date: April 13, 2017 – Agent Version 2.5.0
Detection of container IP addresses for Universal Agent hosts running Docker (required in order to analyze traffic generated in Docker containers by Threat Manager appliances).
Release date: March 17, 2017 – Agent Version 2.4.1
Removed a retry-loop logic bug which was causing very rapid connections to provisioning service and had the possibility of causing a provisioning outage.
Release date: March 16, 2017 – Agent Version 2.4.0
Auto-claim functionality to Threat Manager and Log Manager appliances and agents deployed in converged AWSand Azure cloud environments. Agents and appliances deployed in such environments no longer require a provisioning key to claim.
Product Management authored two unique notification released to customers two weeks prior to the generally available release.
Release date: December 1, 2016 – Agent Version 2.3.6
When an appliance goes down, Threat Manager agent fail-over to another appliance no longer takes too long.
Release date: August 18, 2016
- The feature for Agent Alerting is specific to Threat Manager Agents, which have never had the ability to have alert rules associated with them to notify customers when service impacting issues occur. This new feature enables customers to use the Alert Logic console to configure alerts for their agents, and these alerts will notify customers when agents suffer the following conditions:
- Agent Health State changes to:
- Agents cannot communicate with
- The appliance
- The backend
- Agent Health State changes to:
- The goal is to provide early indication of a problem so that it may be addressed as soon as possible. This feature is necessary because the Alert Logic NOC/TOC does not monitor the status of agents due to the nature of their behavior.
UI level changes with a new configuration UI to configure collection alerts for Threat Manager agents.
- Outreach should occur to existing customers who have mentioned the lack of this functionality. We should work to get a small number of those customers configured properly, and once complete, we should work on broader outreach to the rest of our Threat Manager customer base.
- Public marketing will be done for this feature.
Release date: August 11, 2016 – Agent Version 2.3.1
- Updating master executable in older legacy (1.*) Threat Manager agent installations no longer quits the service without restarting it (losing the agent).
- Trying to update master executables to universal on an auto-scaling host running both legacy log and threat agents no longer results in both installations remaining active and appearing as clones.
Release date: April 5, 2016
- Resolved issue with WSM customers seeing 0.0.0.0 source address for some messages.
- Improved several out-of-order and other packet handling scenarios (primarily for Web Security Manager).
- Added several statistics to logs for decrypted traffic.
Release of several shared packages with Web Security Manager: