ACC configuration

Zoso · ‎04-26-2023

Hello community,

I'm trying to install ACC. I've tried to follow the documentation and this wonderful article

https://www.servicenow.com/community/itom-articles/discovery-with-agent-client-collector-step-by-ste...

I've managed to install the ACC plugins on the instance, on the mid server, and tried on a windows server to act as a client.

I'm stuck with the agent on "Collection Failed"

When performing the self test on the server hosting the agent:

I have a "Did not find OSQuery executable", not sure if this is related to my error?

I can also see an error in the logs

2023-04-26T14:47:27.40 [ERROR] [command] Absolute path for command [endpoint_discovery.rb --compact --select=data_collection,enhanced_inventory,file_systems,network_adapters,tcp_connections,storage_devices,running_processes,local_users,intel_ema,memory_modules] could not be determined.
executable file not found in $PATH

If anyone has an idea to help me

Thanks in advance

Paul Bloem · ‎08-17-2023

Are you sure that the user account created when the agent was installed has permissions to read the directory that the endpoint_discovery.rb file is in, and that the $PATH has been updated to include the correct directories during install? I don't recall seeing this exact issue, but when we've had problems with the initial data collection it's usually because of permissions issues with the user the AgentClientCollector service is running as.

Pratik Malviya · ‎02-05-2025

Hi @Zoso ,

Did you find any solutions for this issue, I am also encountering this issue on Linux agent.
It would be very appreciated if you could able to help me in this.

Please mark the appropriate response as correct answer and helpful, This may help other community users to follow correct solution.
Thanks,
Pratik Malviya

Zoso · ‎02-06-2025

Sorry, i've stopped working on ACC before the resolution.

SK Chand Basha · ‎02-08-2025

Hi @Zoso

This is the single line installation command

# Install Agent Client Collector

# msiexec /i .\agent-client-collector-4.0.0-windows-x64.msi /quiet /qn /norestart ACC_API_KEY=******* ACC_MID=wss://<Ip address>:<port>/ws/events ACC_ALLOW_LIST=TRUE LOCALUSERNAME=SYSTEM

Start-Process msiexec.exe -Wait "/i agent-client-collector-4.0.0-windows-x64.msi /quiet /qn /norestart ACC_API_KEY=******* ACC_MID=wss://<Ip address>:<port>/ws/events ACC_ALLOW_LIST=TRUE LOCALUSERNAME=SYSTEM"

# Install OSQuery

# $msi = "osquery-5.7.0.msi"

# $url = "https://pkg.osquery.io/windows/$msi"

# $dst = "$PSScriptRoot\$msi"

# Write-Host $dst

# Invoke-WebRequest -Uri $url -OutFile $dst

# Start-Process msiexec.exe -Wait "/i $dst /quiet /qn /norestart"

# msiexec /i ".\osquery-5.7.0.msi" /quiet /qn /norestart

Start-Process msiexec.exe -Wait "/i osquery-5.7.0.msi /quiet /qn /norestart"

# Configure osqueryd service

$flags = "--logger_rotate=true

--logger_rotate_size=26214400

--logger_rotate_max_files=1

--watchdog_level=-1

--config_path=C:\Program Files\osquery\osquery-sam.conf"

Set-Content -Path 'C:\Program Files\osquery\osquery.flags.default' -Value "$flags"

$conf = @'

{

"options": {

"config_plugin": "filesystem",

"logger_plugin": "filesystem",

"utc": "true"

},

"schedule": {

"sam_process_info": {

"query": "SELECT name, pid, elapsed_time, start_time, user_time, system_time, username FROM processes p JOIN users u ON u.uid = p.uid WHERE p.elapsed_time != -1 AND u.type != 'special';",

"snapshot" : true,

"interval": 60

},

"system_info": {

"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",

"interval": 3600

}

},

"decorators": {

"load": [

"SELECT uuid AS host_uuid FROM system_info;",

"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"

]

},

"packs": {

"sam-metering": "C:\\ProgramData\\ServiceNow\\agent-client-collector\\cache\\acc-visibility-modules\\bin\\sam-metering.conf"

}

'@

Set-Content -Path 'C:\Program Files\osquery\osquery-sam.conf' -Value "$conf"

cd 'C:\Program Files\osquery'

.\manage-osqueryd.ps1 -uninstall

.\manage-osqueryd.ps1 -install

Restart-Service osqueryd