Skip to main content

Add Agent Tags

In addition to importing AWS, Azure, and GCP tags, local tags can be added to agents. Agent tags can be very helpful for security teams as they provide better search and filtering capabilities. For example, tags can be used to identify critical assets and filters can be used to review the assets or applications running on these assets. Native AWS tags can also be used to organize data, but a fixed AWS tag schema may already be in place, preventing the security team from making changes.

To add agent tags, you need to edit the config.json file that is located in the /var/lib/lacework/config directory. It is not recommended to edit config.json on each and every server. Lacework recommends making changes on a test machine then verifying the results and pushing config.json using AMIs, Ansible, Chef or something else.

note

The value of a tag in the config.json file overrides the value of a tag with the same name in AWS, Azure, and GCP. For example, the value of the Name tag in the config.json file overrides the value of the Name tag in AWS.

  1. On your test machine, open config.json using your preferred text editor.
    sudo nano /var/lib/lacework/config/config.json
  2. Add your locally significant tags to config.json as shown in the following example. If you have previously edited your config.json, you may see more lines than indicated below.
    {
    "tokens" : { "AccessToken" : "YourAgentAccessToken" },
    "tags": { "test_01": "Value_01", "test_02" : "Value_02"}
    }
  3. On your test machine, you can check for valid JSON using jq.
    cat /var/lib/lacework/config/config.json | jq
    {
    "tokens": {
    "AccessToken": "YourAccessToken"
    },
    "tags": {
    "test_01": "Value_01",
    "test_02": "Value_02"
    }
    }
  4. Once the tag or tags appear, run a test filter in the Machines dossier. After confirming that the tag or tags are visible and working as expected, you can distribute the new config.json file using your method of choice. Lacework Console Added Agent Tag

Filtering by tag also works in other dossiers. For example, you can filter by tag in the Applications dossier, which would limit information in the Applications dossier to those machines with the specific tag.

For the Lacework agent to be able to retrieve the EC2 instance 'Name' tag, the EC2 instance must have permission to Describe Tags. For more information, see Configure Access to Tags in AWS.