Stopping the agent service

• On a system that uses systemd, type the following command.

  sudo systemctl stop keeperx

• Requires Linux® agent 0.70.0 or later On a system that uses init, type the following command.

  sudo service keeperx stop

Starting the agent service

• On a system that uses systemd, type the following command.

  sudo systemctl start keeperx

• Requires Linux agent 0.70.0 or later On a system that uses init, type the following command.

  sudo service keeperx start

Restarting the agent service

• On a system that uses systemd, type the following command.

  sudo systemctl restart keeperx

• Requires Linux agent 0.70.0 or later On a system that uses init, type the following command.

  sudo service keeperx restart

Reset the agent failure counter

sudo systemctl reset-failed keeperx

Viewing the status of the agent

• On a system that uses systemd, type the following command.

  sudo systemctl status keeperx

• Requires Linux agent 0.70.0 or later On a system that uses init, type the following command.

  sudo service keeperx status

Inspecting the service logs for error details

• On a system that uses systemd, type the following command.

  journalctl –xu keeperx

• Requires Linux agent 0.70.0 or later On a system that uses init, type the following command.

  cat /tmp/rqt_keeperx.txt

Sending service logs to Customer Support

1. Gather the service logs in a .txt file.
   • On a system that uses systemd, type the following command to export the agent systemd service logs to a .txt file.

     journalctl –xu keeperx > /tmp/agent_logs.txt

   • Requires Linux agent 0.70.0 or later On a system that uses init, the service logs are stored in the /tmp/rqt_keeperx.txt file.
2. Go to Customer Support (www.ibm.com/support/) and add the service logs to a new or existing case.

Cleaning up the Falco drivers

sudo /etc/reaqtahive.d/keeperx-loader.sh --clean-only

1. Add KMOD_IGNORE_TAINT=1 to the end of the /etc/reaqtahive.d/keeperx.env file by typing the following command.

   sudo sh -c "echo KMOD_IGNORE_TAINT=1 >> /etc/reaqtahive.d/keeperx.env"

2. Reset any agent service errors and restart the agent by typing the following commands.
   • On a system that uses systemd, type the following commands.

     sudo systemctl reset-failed keeperx

     sudo systemctl restart keeperx

   • Requires Linux agent 0.70.0 or later On a system that uses init, type the following command.

     sudo service keeperx restart

Removing the /etc/reaqta-hive-machine-id file before cloning the endpoint

1. Install the agent on the endpoint that you will clone by following the instructions in Installing the QRadar EDR Agent on Linux endpoints.
2. Remove the /etc/reaqta-hive-machine-id file.
3. Uninstall the agent from the endpoint by following the instructions in Uninstalling the QRadar EDR Agent from an endpoint remotely.
4. Clone the endpoint. An endpoint that you create by cloning automatically register in QRadar EDR Dashboard if it has an internet connection.

Installing the agent without registering the endpoint

1. Install the agent on the endpoint that you will clone by following the instructions in Installing the QRadar EDR Agent on Linux endpoints. Make sure you use the command to install the agent without registering the endpoint.
2. Clone the endpoint.
3. On the endpoints that you create by cloning, register the endpoint, then restart the agent service.
   1. Register the endpoint by typing the following command.

      Table 1. QRadar EDR Dashboard parameters

      Parameter	Description
      URL	Your QRadar EDR server domain name or IP address, including the port.
      Group IDs	A comma-separated list of group IDs. At least one group ID is required in MSSP deployments.
      Proxy	If you are using a proxy to access QRadar EDR Dashboard, enter the proxy URL and port. It must be a nonauthenticated proxy.

      sudo /etc/reaqtahive.d/keeperx --register "https://<URL> --gids <group_IDs> --proxy <proxy_URI>"

   2. Restart the agent service by typing one of the following commands.
      • On a system that uses systemd, type the following command.

        sudo systemctl restart keeperx

      • On a system that uses init, type the following command.

        sudo service keeperx restart

1. Click Threat Hunt > Proactive Hunt.
2. Set Events to Custom Event No Process.
3. Set Endpoints to the endpoint that is experiencing high resource consumption.
4. Click Search.
5. In the search results, analyze the Performance monitor events.
   Performance monitor events are generated every minute, and contain information about CPU consumption, RAM consumption, and database size.

   Option	Description
   High CPU consumption	Look for CPU consumption patterns in the performance monitor events. If you see cyclical high consumption, you might be able to correlate the CPU consumption to the creation of specific processes. To correlate CPU consumption to processes add Process created to the Events field and repeat your search. High CPU consumption is expected when several processes are created on an endpoint. If you see persistent high CPU consumption, it might indicate network or disk input/output issues, RAM scarcity that leads to swap usage, or Destra policy issues.
   High RAM consumption	Look for RAM consumption patterns in the performance monitor events. High RAM consumption might indicate an issue with a Destra policy. Look at the Destra memory in the performance monitor events. Persistent high RAM consumption, or continually increasing RAM consumption might indicate an issue with the agent. If this happens, see Contacting Customer Support for QRadar EDR troubleshooting.
   High disk space consumption	Look at the DB size, Priority event count, Event count, and Network queue event count in the performance monitor events. High DB size might indicate a high amount of events or low network bandwidth. Priority event count, Event count, and Network queue event count continuously having values other than zero indicates that the agent cannot offload events in a timely manner to the server.