¶ Status indicator
The status of SOC.OS agents installed in your network is displayed on all pages of the SOC.OS tool. This allows the ingestion of alerts from on-premise security tools to be monitored.
¶ Combined status of all agents
The combined status of all agents is shown by an indicator in the bottom left of each page.
¶ Online
The indicator will appear green if all the agents are online, i.e. are sending heartbeat messages to the SOC.OS platform.
¶ Offline
The indicator will appear red if all the agents are offline, i.e. are unable to send heartbeat messages to the SOC.OS platform.
¶ Partially Online
The indicator will appear orange if some, but not all, of the agents are online.
¶ Status of individual agents
More details about agent health can be obtained by clicking on the status indicator icon. This opens a panel where the status of each agent is individually listed.
The time that each agent last sent a heartbeat message to the SOC.OS platform is also shown.
It can take around 5 minutes for the indicator in the SOC.OS tool to be updated to reflect changes in agent status.
¶ What to do if an agent is offline
While an agent is offline, any alerts forwarded through that agent will not be sent to the SOC.OS platform. It is important to bring the agent back online as quickly as possible.
Common causes for the agent going offline are:
- A reboot or updates to the agent host machine.
- A network change that prevents the agent host machine from connecting to the SOC.OS platform.
- A shutdown of the agent software on the host machine.
If a temporary issue caused the agent to go offline, the agent may automatically reconnect in a few minutes. The time that the last heartbeat message was sent to the SOC.OS platform can be helpful when determining if this is the case. If the agent remains offline, please restart it as soon as possible to prevent loss of alert data.
Details about why the agent disconnected can be found in the agent log files and host machine service logs.
More information on restarting the agent or viewing agent logs can be found here.
Please email support@socos.io if you have questions or any problems with your agent.