Dhound-agent troubleshooting on Linux

Dhound-agent installation makes some changes in the system automatically. It does not affect servers security.

Verbose Mode

In case of troubleshooting, stop dhound-agent and run it in verbose mode

sudo /etc/init.d/dhound-agent stop
cd /var/lib/dhound-agent/
sudo /opt/dhound-agent/bin/dhound-agent -config-dir /etc/dhound-agent -verbose

Test particular rules

All rules are located in the folder /etc/dhound-agent/rules.d/.

To collect and debug specific events, open /etc/dhound-agent/config.yml file, set up 'allrules' to 'false' and specify rule file without exentension into 'rules' parameter.

# for more information about dhound-agent configuration see here - https://knowledge.dhound.io/how-to-use-dhound
output:
  # (required) client access token
  accesstoken: 5MDMDMDMDMDMDMKEYMDMDMDMKSKDMFMDMSMDMFMXG1K8B68J8
  # (required) server identifier
  serverkey: MMMDDDFFFBLK
  # (optional) proxy settings
  # proxy: http://localhost:8080
input:
  # enable all rules specified in rules.d folder: true/false
  allrules: true
  # if allrules is false, specify name of rule files without extension (for example, sshd, tcp-out, etc)
  rules: [sshd, fail2ban, pure-ftpd, tcp-out, apache-wordpress]

See Also