How to gather support incident information
In Sophos Linux Sensor (SLS), a running sensor's monitoring subsystem can be used to export a full capture of support information collected from the host, the sensor's configuration, and the sensor's internal workings.
Capturing a support archive
To capture a support archive, you must do the following:
- Install curl
- Put SLS into debug mode
- Use curl to capture the support acrchive
Accessing the monitoring subsystem requires an HTTP client. Most distributions package curl, which is used in this guide. It can be installed on Red Hat-based systems by running:
sudo yum install curl
It can be installed on Ubuntu systems by running:
sudo apt-get install curl
Put SLS into debug mode
Run the following from a root shell on the host in question to cause the sensor to enter debug mode:
sudo pkill -SIGUSR2 -f sophoslinuxsensor
This will cause any active sensors running on the system to temporarily enter a debug mode where support and debugging information is available on the monitoring endpoint for 60 seconds. After this time debug mode will revert to being off, since the support endpoint can include sensitive information.
Capture a support archive
Run the following from a root shell on the host in question to cause the sensor to capture support information and write to a file:
curl -O http://localhost:9010/support.tar && gzip support.tar
This will have the locally running sensor spend 30 seconds gathering host information, sensor configuration, metrics, and profiles on the inner workings of the sensor and then write them to support.tar.
SLS CPU and Memory Profiling
SLS is equipped with runtime profiling features that can be used to generate CPU profiles and memory allocation snapshots using Google’s pprof library. See pprof.
Turn debug mode on
To enable profiling you must do one of the following:
- Run the sensor with the environment variable
debug: trueto the /etc/sophos/runtimedetections-rules.yaml config file.
Once debug mode has been turned on, restart SLS with the following command:
systemctl restart sophoslinuxsensor
Generate a Profile
If you have a sensor experiencing memory or CPU issues that you wish to troubleshoot, you can generate a performance profile of that sensor. Performance profiles can be captured at anytime by making requests to a local HTTP endpoint.
To capture sample memory allocations of live objects on the heap, run the following command:
curl -s http://localhost:9010/debug/pprof/heap > heap.out
To capture sample CPU usage for 60 seconds and generate a profile, run the following command:
curl -s 'http://localhost:9010/debug/pprof/profile?seconds=60' > profile.out
SLS metrics output
To generate the metric output, run the following command:
curl -s http://localhost:9010/metrics > metrics.out
You don't need to turn on debug mode to collect the metrics output.
Collecting system inforamtion
You can use the following commands to collect information about specific components of your Linux system.
SLS and content version
$ rpm -qa --installed | grep sophoslinuxsensor
$ rpm -qa --installed | grep runtimedetections-content
$ apt list --installed | grep sophoslinuxsensor
$ apt list --installed | grep runtimedetections-content
Sensor YAML Configuration File/Environment Variables Set
Analytics YAML Configuration File/Environment Variables Set
Operation System and Version
You can use the following commands to obtain the OS and version of your Linux system:
Linux Kernel Version
You can use the following commands to obtain the kernel version of your Linux system:
hostnamectl | grep kernel
You can use the following commands to obtain the sensor logs:
journalctl -u sophoslinuxsensor
journalctl -efu capsule8-sensor
tail -f /var/log/capsule8/sensor.log