Alert Logic Universal Agent release notes
Release date: February 13, 2020 – Agent Version 2.12.0
Flat file stream discovery functionality needed for application-based flat file collection introduced with Managed Detection and Response log feature.
- Collection from non-existing flat files in a directory now produces a consistent warning status as opposed to warning or error depending on state.
- When a flat file collection directory is initially empty, subsequent addition of files to that directory results in collection from their beginning rather than from the current position on first observation.
Release date: December 5, 2019 – Agent Version 2.11.1
- Windows metadata extraction now discovers all available IP addresses.
- Docker container packaging of the agent (al-agent-container) no longer tries to collect the logs of its own agent into the account of the customer.
- The agent no longer loses the configuration when clearing the ingest transport configuration from the controller and then resetting it to the same value.
Release date: July 23, 2019 – Agent Version 2.9.10 (event log collector only)
- Fixed resource DLL cache leaks after load errors.
- Fixed invalid parameter errors for resource DLLs in default search path.
- Fixed spurious errors from trying to open event logs we are not going to collect (disabled or analytic/debug).
Release date: July 2, 2019 – Agent Version 2.9.9
Cached appliance configurations containing sensitive data (user names, passwords and private keys) are encrypted at rest.
- Disabled the usage of SNI header in TLS connections, which caused some proxies to route agent requests to incorrect data centers.
- Master agent periodically retries restarts of crashed collectors if such restarts fail, instead of leaving them stopped.
- Fixed incorrect formatting of event log messages with certain patterns and publishers.
- Fixed collection of non-ASCII event log stream names.
- TM appliance agent periodically retries configuring the balancer framework if this fails.
Release date: May 21, 2019 – Agent Version 2.9.8
Fixed memory leak in metadata transport procedure, causing master agent to exceed the memory limits defined for ECS and Kubernetes jobs with frequently updated metadata.
Release date: April 30, 2019 – Agent Version 2.9.7
- Updated Npcap installer from version 0.99-r7 to 0.993 to support Windows versions 1809 and above.
- Fixed handling of configuration items larger than 8 KB (e.g. long whitelists), which previously resulted in config failures and no service on Windows.
Release date: April 26, 2019 – Agent Version 2.9.6
Fixed expired code signing certificate for Windows exes and package.
Release date: March 12, 2019 – Agent Version 2.9.5
Health errors and warning codes now use unique values, allowing them to be mapped unambiguously to remediation actions for Managed Detection and Response.
Release date: December 14, 2018 – Agent Version 2.9.4
- Docker container log collection is now controlled by a separate policy setting, without depending on TCP collection policy setting.
- Fixed possible crash with too many connections and a problem with docker container socket re-use in the syslog collector.
Release date: November 16, 2018 – Agent Version 2.9.3
The Windows version of the universal agent now installs Npcap OEM instead of WinPcap where needed (and supported). If already installed, the agent will work with either Npcap or WinPcap. Npcap is preferred if both are installed.
Release date: November 6, 2018 – Agent Version 2.9.2
Fixed resource leak with Azure provisioning requests.
Release date: October 25, 2018 – Agent Version 2.9.1 (Managed Detection and Response only)
Agents can now be claimed in Data Center deployments with Managed Detection and Response.
Release date: October 3, 2018 – Agent Version 2.9.0
Added Docker container log collection support to the agent syslog collector. The agent automatically discovers new containers, opens their log streams, and forwards their logs to Log Manager.
- Fixed intermittent syslog collector crashes against batches not closed cleanly by the previous instances.
- Improved large file support for flat file collectors on 32-bit Linux builds.
Release date: June 12, 2018 – Agent Version 2.8.2
- Fixed intermittent agent freezes while extracting Docker metadata if a Docker container is being stopped at the same time.
- Protection goes into effect with fewer delays when multiple new Docker containers are spinning up in the same cluster.
- Default Kubernetes IP space is no longer reported as public in the agent metadata (additional RFC 6890 private IP ranges are classified as private).
Release date: May 31, 2018 – Agent Version 2.8.1
Custom containerized deployments of the agent no longer cause it to crash if the agent container is not given a SYS_ADMIN capability or privileged mode. Privileged mode is still required for proper Docker integration.
Release date: May 17, 2018 – Agent Version 2.8.0
- This release adds support for the ingest transport channel. The agent will receive and store ingest service transport configuration from the back-end controller and will transport the host metadata directly to the ingest service if possible, unless configured otherwise at install time.
- This release extends Azure metadata support. The agent will utilize the recently introduced Azure instance metadata service to collect additional metadata for Azure deployments.
- This release phases out the previous private PKI for TLS certificate chain validation, and replaces it with a public CA bundle and CN/SAN validation.
Release date: March 22, 2018 – Agent Version 2.7.0 (Docker container only)
- Support for binding Docker container interfaces in Threat Manager agent, enabling raw container traffic inspection.
- Support for rich container metadata and non-bridged mode container IP address extraction
- Official Docker container packaging (al-agent-container)
Release date: March 15, 2018 – Agent Version 2.6.1
- Event log collector no longer repeatedly crashes with eventlog resource DLLs compiled with newer versions of message compiler, including Windows version 1709 and above.
- Flat file collector no longer fails to parse dates out of file names if the date is not prefixed with a separator.
Release date: March 8, 2018 – Threat Manager Appliance Framework Version 4.2.1
- Remediated an issue that can lead to duplicate post data in a deny log
- Remediated an issue that resulted in a memory leak
- Remediated an issue where the PWAF module would block the framework from functioning properly
Release date: October 20, 2017 – Agent Version 2.6.0
Specifying backup controller host/port no longer triggers a bogus error state on fail-over
- The Threat Manager agent no longer waits several minutes until its next check-in to fail over to other appliances in its assignment policy in case its preferred appliance is unavailable (fail-over happens without back-end intervention).
- A configured but freshly restarted Threat Manager agent no longer depends on the back-end availability to connect to appliances (locally cached config is used to connect to appliances immediately in assignment policy order, starting with the preferred appliance).
- Agent provisioning is more robust against intermittent or persistent failures (agents will now use limited retries for provisioning errors).
Release date: June 11, 2017 – Agent Version 2.5.1
Amazon Inspector no longer detects the agent as a medium vulnerability due to the lack of stack security cookies in Linux executables.
Product Management authored a notification released to specific customers who had inquired about the vulnerability when it appeared in scanning reports.
Release date: April 13, 2017 – Agent Version 2.5.0
Detection of container IP addresses for Universal Agent hosts running Docker (required in order to analyze traffic generated in Docker containers by Threat Manager appliances).
Release date: March 17, 2017 – Agent Version 2.4.1
Removed a retry-loop logic bug which was causing very rapid connections to provisioning service and had the possibility of causing a provisioning outage.
Release date: March 16, 2017 – Agent Version 2.4.0
Auto-claim functionality to Threat Manager and Log Manager appliances and agents deployed in converged AWSand Azure cloud environments. Agents and appliances deployed in such environments no longer require a provisioning key to claim.
Product Management authored two unique notification released to customers two weeks prior to the generally available release.
Release date: December 1, 2016 – Agent Version 2.3.6
When an appliance goes down, Threat Manager agent fail-over to another appliance no longer takes too long.
Release date: August 18, 2016
- The feature for Agent Alerting is specific to Threat Manager Agents, which have never had the ability to have alert rules associated with them to notify customers when service impacting issues occur. This new feature enables customers to use the Alert Logic console to configure alerts for their agents, and these alerts will notify customers when agents suffer the following conditions:
- Agent Health State changes to:
- Agents cannot communicate with
- The appliance
- The backend
- Agent Health State changes to:
- The goal is to provide early indication of a problem so that it may be addressed as soon as possible. This feature is necessary because the Alert Logic NOC/TOC does not monitor the status of agents due to the nature of their behavior.
UI level changes with a new configuration UI to configure collection alerts for Threat Manager agents.
- Outreach should occur to existing customers who have mentioned the lack of this functionality. We should work to get a small number of those customers configured properly, and once complete, we should work on broader outreach to the rest of our Threat Manager customer base.
- Public marketing will be done for this feature.
Release date: August 11, 2016 – Agent Version 2.3.1
- Updating master executable in older legacy (1.*) Threat Manager agent installations no longer quits the service without restarting it (losing the agent).
- Trying to update master executables to universal on an auto-scaling host running both legacy log and threat agents no longer results in both installations remaining active and appearing as clones.
Release date: April 5, 2016
- Resolved issue with WSM customers seeing 0.0.0.0 source address for some messages.
- Improved several out-of-order and other packet handling scenarios (primarily for Web Security Manager).
- Added several statistics to logs for decrypted traffic.
Release of several shared packages with Web Security Manager: