Skip to main content
The LevelBlue Agent is a lightweight endpoint agent based on osquery, the leading open-source operating system (OS) instrumentation framework for Microsoft Windows, Apple macOS, and Linux. It enables endpoint detection and monitoring with central management, contributing to complete and effective threat visibility, detection, and compliance. The LevelBlue Agent is easy to install on your host and endpoints, and has a small footprint. An installed agent provides continuous endpoint security monitoring, allowing USM Anywhere to quickly detect threats on your essential assets without the time-consuming manual configuration and setup tasks required to implement and integrate a third-party tool.

Agent IDs

The LevelBlue Agent communicates over an channel to send data directly to the USM Anywhere service, bypassing the USM Anywhere Sensor, and buffers data locally when the connection to USM Anywhere is unavailable. The (OS)se agents use two universally unique identifier (UUID)-formatted IDs to interact with USM Anywhere: a host identifier UUID and an asset identifier UUID. Understanding the two LevelBlue Agent IDs is important when you deploy agents in virtual machines (VMs). See LevelBlue Agent IDs for more information.

Agent Data Collection

Each LevelBlue Agent must be associated with an in USM Anywhere to enable log collection, which should match the host system where it is deployed. When this association is in place, detailed information is available in the Asset Details page. On this page, you can view the number of associated with the agent, as well as data consumption by the agent over a fixed period of time. When the agent is registered and associated with an asset, the agent configuration profile determines the queries and intervals that USM Anywhere uses to collect logs from the host system. The agent dashboard displays status information for all agents registered with your USM Anywhere environment, including an indication that an agent is currently sending data. See LevelBlue Agent Dashboard for more information.

Agent Data Caching

LevelBlue has enhanced osquery’s buffered logger to retain data more efficiently if the communication with USM Anywhere fails. Based on the frequency of events being generated on the endpoint, the LevelBlue Agent writes those events to batch files. When there is a communication error with USM Anywhere, those files are retained in osquery3.db/z_cached_logs within the agent’s working directory. The agent tries resending the files after a back-off period and, at the same time, continues to add more batch files for new events if the communication isn’t restored. Under normal conditions, the cache of batch files shouldn’t exceed 5 GB of disk space. After the communication is restored, the agent works through the backlog of files in the order of their creation. If the caching limit is reached, the agent issues a warning and stops writing cached data to disk, after which no new events are captured. You may need to remove some or all of the files to allow the agent to capture and cache new events until the communications with USM Anywhere is restored. The amount of time to reach the caching limit depends on the activity on the endpoint and the amount of content in each event.

Agent Updates

When a new agent is registered with your USM Anywhere service, the system checks its version and displays it under the associated asset. You can update the agent manually or use the agent’s auto-update feature, which is disabled by default. Both update methods are performed using the LevelBlue Agent script. See the LevelBlue Agent updates on the USM Anywhere Product Announcements page to find out the latest agent version and improvement.

Related Video Content

To view other related training videos, click here.
I