Once installed and running, the agent starts collecting and batching data. The data collected is periodically transmitted over an encrypted channel to Lacework servers for analysis. It may take up to 2 hours to construct a base graph and for the Lacework Console to populate. Lacework will send a notification to the email address used during registration to inform the user when results are first available in the Lacework Console.
If you have not received an email notification and machine data is not shown two hours after agent installation, the agent may not be able to communicate with Lacework servers.
You need to check the following:
- Is the agent using a deactivated token, and invalid token, or none at all?
- Does the Agent need to be configured to use a proxy, or has the proxy been misconfigured? See Adding Proxy Information to the Lacework Agent Configuration for instruction on how to add a proxy.
- When running the Lacework agent in a Docker container the hostname of machine in Lacework Console is not the same the hostname of the machine? This is a limitation in Docker runtime which prevents running containers from getting notifications when the Docker host updates the hostname. See the procedure below to correct this Docker issue.
- Is the GoDaddy certificate in the root store? If not, the GoDaddy certificate needs to be added to the trusted root store. Please consult appropriate resources on installing third-party CA certificates. Below is the GoDaddy certificate.
-----BEGIN CERTIFICATE----- MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAxMDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7EGwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1UdIwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8dH2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWgOJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKOKHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCmrw==
-----END CERTIFICATE-----
To correct the Docker issue which prevents running containers from getting notifications when the Docker host updates the hostname:
-
Query the current docker host hostname:
$ hostname coreos-1122.3.0 -
Update the hostname in the Docker host:
$ sudo hostname new-coreos-1122.3.0 -
Find the process id of the Lacework datacollector container:
$ sudo docker ps-a 0123ae6c9bd9 lacework/datacollector:latest “/var/lib/backup/data” 2 hours ago Up 2 hours datacollector -
Find the PID of the Lacework datacollector container:
$ sudo docker inspect 0123ae6c9bd9 | grep Pid “Pid”: 2897, “PidMode”: “host”, “PidsLimit”: 0, -
Edit UTS namespace of the Lacework datacollector container updating it with the new hostname, where nsenter is part of the util-linux package.
$ sudo nsenter --target 2897 --uts hostname new-coreos-1122.3.0 -
Log in to the Lacework agent container and verify that the new hostname is visible:
$ sudo docker exec -it 0123ae6c9bd9 /bin/bash groups: cannot find name for group ID 0 root@new-coreos-1122:/# hostname new-coreos-1122.3.0 12You should not have to restart the Lacework agent container to display the new hostname.