Skip to content
English
Contact AgileBlue Support Customer portal
AgileBlue Portal
  • There are no suggestions because the search field is empty.

Understanding Agent Status in the AgileBlue Portal

Quickly view the health of your Elastic Agent, Elastic Endpoint, and Fleet enrollment status directly from the AgileBlue portal.

Overview 

The AgileBlue portal now displays detailed agent status information across two locations: the Data Sources page and the Device Details page. These updates give you clear, at-a-glance visibility into the health of your Elastic Agent, Elastic Endpoint, and Fleet enrollment status - including actionable error messages when attention is required. 

Prerequisites 

  1. An active AgileBlue portal account with appropriate access 

  2. At least one configured server or workstation checking in to the AgileBlue portal 

Viewing Agent Status on the Data Sources Page 

  1. Log in to the AgileBlue Portal 
  2. Navigate to Data Sources 
  3. Locate the device you want to review in the list 

     
    1. Elastic Agent - displays the version number of the agent associated with the device 
      1. Green Checkmark - Elastic Agent is installed and all integrations are healthy
      2. Yellow Triangle - Functionality of integrations may be degraded
      3. Red X - Integrations are unhealthy
      4. Grey Dash - Agent status was not reported in the last check-in
    2. Elastic Endpoint - displays the health of the Elastic Endpoint integration per device
      1. Green Checkmark - Elastic Endpoint is healthy
      2. Yellow Triangle - Functionality of Elastic Endpoint may be degraded
      3. Red X - Elastic Endpoint is unhealthy
      4. Grey Dash - Elastic Endpoint status was not reported in the last check-inReview the following columns for each device:  
    3. Fleet - displays the status of the agent checking into the Elastic SIEM policy
      1. Green Checkmark - Agent is enrolled and checking in
      2. Red X - Agent is unenrolled
      3. Grey Dash - Agent check-in information unavailable

Viewing Agent Status on the Device Details Page 

Note: The agent status fields described below are displayed only for devices classified as a Server or Workstation

  1. Log in to the AgileBlue Portal 
  2. Navigate to Data Sources 
  3. Click on the name of the Server or Workstation you want to review to open the Device Details page 



  4. Locate the Elastic Agent Status field and select the dropdown to expand it:  
    1. If the status is Healthy, the dropdown will read: Healthy – No action required 
    2. If the status is Attention Required or Degraded, the dropdown will display the applicable error message 
  5. Locate the Elastic Endpoint Status field and select the dropdown to expand it:  
    1. If the status is Healthy, the dropdown will read: Healthy – No action required 
    2. If the status is Attention Required or Degraded, the dropdown will display the applicable error message 
  6. Locate the Fleet Status field and select the dropdown to expand it:  
    1. If the device is Enrolled, the dropdown will read: Enrolled – No action required 
    2. If the device is Not Enrolled, the dropdown will display the applicable error message or additional available details 

Troubleshooting

Stop and Start the Cerulean Agent Service

Restarting the Cerulean Agent service resolves most common connectivity and reporting issues. Follow the steps below for your operating system.

Windows

  1. Press Win + R, type services.msc, and press Enter.
  2. Locate the Cerulean Agent service in the list.
  3. Right-click the service and select Restart. If the service is stopped, select Start.
  4. Confirm the service status shows Running.

macOS

  1. Open Terminal (Applications → Utilities → Terminal).

  2. Run the following commands:

    1. sudo launchctl stop com.cerulean.agent
    2. sudo launchctl start com.cerulean.agent

       

  3. Verify the agent is running by checking its status in your management console.

Linux

  1. Open a terminal window.

  2. Run the following command:

    1. sudo systemctl restart cerulean-agent

       

  3. Confirm the service is active:

    1. sudo systemctl status cerulean-agent

       

Still experiencing issues? If restarting the service does not resolve the problem, please collect the logs outlined below and contact AgileBlue Support at support@agileblue.com. Once your logs are ready, notify the support team and they will send a secure, encrypted email with instructions for submitting the files.

Collecting Logs for AgileBlue Support

The following sections describe how to collect the required log files on each supported operating system. Attach all logs in your reply to the encrypted message from AgileBlue Support.

Windows — Event Viewer Application and Security Logs

  1. Open Event Viewer (search “Event Viewer” in the Start menu).
  2. In the left pane, expand Windows Logs.
  3. Select Application.
  4. In the right-hand Actions pane, click Save All Events As and choose EVTX format.
  5. Select Security.
  6. In the right-hand Actions pane, click Save All Events As and choose EVTX format.
  7. Save the files and upload them to the encrypted Barracuda email.

Windows — Cerulean Agent Installation Log

  1. The Cerulean Agent installation log is located in the following directory:
    1. C:\Windows\Temp\cerulean_installer
  2. Save the file and upload it to the encrypted Barracuda email.

macOS — Console / Unified Log

  1. Open Console.app (Applications → Utilities → Console).

  2. Select your Mac under Devices in the sidebar.

  3. Click Action → Export to save the log archive, or use the following Terminal command:

    1. log collect --output ~/Desktop/system_logs.logarchive
    2. log collect --output /var/log/system.log
    3. log collect --output /var/log/install.log
    4. log collect --output ~/Library/Logs/
    5. log collect --output /Library/Logs/

  4. Save the files and upload it to the encrypted Barracuda email.

macOS — Security / Authentication Logs

  1. Use the following command to export the log via Terminal:

    1. log collect --predicate 'subsystem == "com.apple.securityd"' --output ~/Desktop/security_logs.logarchive

       

    1. log collect --predicate 'subsystem == "com.apple.securityd"' --output /var/log/auth.log
    2. log collect --predicate 'subsystem == "com.apple.securityd"' --output /var/log/security
    3. log collect --predicate 'subsystem == "com.apple.securityd"' --output /private/var/log/asl/
  2. Save the files and upload it to the encrypted Barracuda email.

macOS — Cerulean Agent Installation Log

  1. Check the following directories for the installation log:
    1. /tmp/
    2. /var/log/
    3. ~/Library/Logs/
  2. To search for the file automatically, run the following command: 
    1. find /tmp /var/log ~/Library/Logs -name "*cerulean*" -o -name "*install*" 2>/dev/null

       

  3. Save the file and upload it to the encrypted Barracuda email.

Linux — System Logs (journald/syslog)

  1. Use journalctl to export logs to a file:

    1. journalctl -xe > ~/cerulean-agent.log

       

  2. To export logs within a specific date range:

    1. journalctl --since "2024-01-01" --until "2024-01-31" > ~/cerulean-agent.log

  3. Relevant log paths:

    1. Source Path
      Debian / Ubuntu /var/log/syslog
      RHEL / CentOS / Fedora  /var/log/messages
      systemd journal (binary format) /var/log/messages
      General log directory  /var/log/

  4. Save the files and upload it to the encrypted Barracuda email.

Linux — Security / Authentication Logs

  1. Use journalctl to export security and authentication-related logs: 
    1. journalctl _TRANSPORT=audit > ~/security-audit.log

       

  2. To export logs within a specific date range:

    1. journalctl _TRANSPORT=audit --since "2024-01-01" --until "2024-01-31" > ~/security-audit.log 

       

  3. Relevant log paths:

    1. Source Path
      Debian / Ubuntu - authentication events /var/log/auth.log
      RHEL / CentOS / Fedora  /var/log/secure
      auditd - kernel-level security events /var/log/audit/audit.log

  4. Save the files and upload it to the encrypted Barracuda email.

Linux — Cerulean Agent Installation Log

  1. Check the following directories for the installation log:
    1. /tmp/
    2. /var/log/
  2. To search for the file automatically, run: 
    1. find /tmp /var/log -name "*cerulean*" -o -name "*install*" 2>/dev/null

       

  3. Log Location Reference
    Platform Application Logs Security Logs Installation Log Path
    Windows

    Event Viewer → Windows Logs → Application (.evtx)

    		 Event Viewer → Windows Logs → Security (.evtx) C:\Windows\Temp
    macOS /var/log/system.log, ~/Library/Logs/ /var/log/auth.log, /var/log/security

    /tmp/ or /var/log/ or ~/Library/Logs/
    Linux

    /var/log/syslog or /var/log/messages

    		 /var/log/auth.log or /var/log/secure /tmp/ or /var/log/
  4. Save the files and upload it to the encrypted Barracuda email.

Repairing the Cerulean Agent

  1. Download the Cerulean Agent Installer.
    1. Log in to the AgileBlue Portal and navigate to Management → Agent.
    2. Download the installer that matches your operating system and installation method.
    Important: Overwrite any existing installer and ensure the file is named windows_installer3.exe (Windows only)

  2. Locate your API Key
    1. In the AgileBlue Portal, go to Management → Settings.
    2. Select Alert Playbook.
    3. Copy your API key listed under the Alert Communication Protocol section.

  3. Run the Repair Command.
    1. Open a terminal (or PowerShell on Windows) and run the command that matches your operating system. Replace YOURAPIKEYHERE with the API key obtained in Step 2.

       

      Windows

      • Command Prompt 
        windows_installer3.exe repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

         

      • Powershell 
        ./windows_installer3.exe repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

         

      • Command Prompt - with Syslog 
        windows_installer3.exe repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com -s

         

      • Powershell - with Syslog 
        ./windows_installer3.exe repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com -s

         

      Linux

      • Standard 
        sudo ./linux_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

         

      • Syslog 
        sudo ./linux_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com -s

         

      Mac

      • Standard (Intel) 
        sudo ./mac_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

         

      • Intel - with Syslog 
        sudo ./mac_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com -s

         

      • Apple Silicon (ARM) 
        sudo ./mac_arm_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

         

      • Apple Silicon - with Syslog
      • sudo ./mac_arm_installer3 repair -a YOURAPIKEYHERE -u https://agentapi.agileblue.com -s
  4. Verify the Repair

    1. After the repair completes, confirm the device is checking in again by navigating to Analytics → Data Sources in the AgileBlue Portal. The device should appear with a recent check-in timestamp.

NOTE: If the device does not appear within 5–10 minutes after running the repair, please contact AgileBlue Support for further assistance.

Need Help? 

AgileBlue is always here to support you and ensure you are 100% successful. If you have any questions or encounter any issues, please reach out to AgileBlue Support

Email: support@agileblue.com

Phone: (216) 606-9400