The first step is to make sure the YAML file doesn't contain any errors. The Ardexa Agent will do its best to start even if there are configuration errors, but it should report these configuration errors to the cloud. To manually test the configuration, run:
ardexa -t /etc/ardexa/ardexa.yaml
Assuming the configuration is correct, there are two main ways to debug a scenario that isn't working (a scenario is the generic name we give RUN, CAPTURE and UNIX_SOCKET):
- Check the "agent_errors" table in the cloud. Open a New Search and select the agent_errors table. Add the "table", "type" and "string" columns to your search and click GO. This should give you some details about what went wrong (most likely an EXPECT_ERROR if the CSV fields in the file don't match what is configured)
- Checking the raw agent debug output. This "debug" option is enabled in ardexa.yaml. It is a number from 0 (errors only) to 5 (everything). Generally for debugging like this, 2 or 3 is sufficient. The debug logs are sent to /var/log/ardexa.log and will contain information about what is going on inside the agent as it attempts to open files, run commands and processes the incoming data.
The debug option can be quite verbose and hard to understand the first time you read the output. If neither of these options give you any clues about what's going wrong, please contact your Ardexa account manager.