Configure Windows Agent Behavior in config.json File
When you install the Lacework Windows agent on a machine, a config.json file is created in the C:\ProgramData\Lacework\ directory. You can add properties to the config.json file to alter the agent behavior as described below.
note
If you modify the config.json file, you must restart the agent for the changes to take effect. For more information, see Restart Windows Agent.
config.json File Structure
The config.json file must start and end with curly braces { } with commas separating each property as shown in the following example config.json file:
{
"tokens": {"accesstoken": "Your_Access_Token"},
"serverurl": "Your_API_Endpoint",
"proxyurl":"http://Your_Proxy_Server:Your_Port"
}
General Agent Properties
This section describes the general agent properties.
autoupgrade Property
If the autoupgrade property is set to enable, the agent automatically upgrades itself. This is the default setting. For more information, see Upgrade the Windows Agent.
To disable automatic upgrade, add the following to your config.json file.
"autoupgrade": "disable"
note
For improved security and to benefit from new and improved features, Lacework recommends that you do not disable automatic upgrade of the agent.
To enable automatic upgrade again, delete the "autoupgrade": "disable" property in the config.json file or change it to:
"autoupgrade": "enable"
proxyurl Property
You can use the proxyurl property to configure the Lacework agent to use a network proxy. For more information, see Use a Network Proxy for Windows Agent Traffic.
"proxyurl":"http://Your_Proxy_Server:Your_Port"
Where Your_Proxy_Server is the URL or IP address of your HTTP proxy server and Your_Port is the port number of your proxy server.
If the agent should not use a proxy, regardless of the machine’s configuration, specify the following in the config.json file:
"proxyurl"="direct"
serverurl Property
You can use the serverurl property to specify the endpoint that the agent communicates with. This is mandatory for non-US users.
Lacework supports the following regions and endpoints:
| Region | Endpoint |
|---|---|
| US (default) | https://api.lacework.net (default) |
| US-02 (US) | https://aprodus2.agent.lacework.net |
| European Union (EU) | https://api.fra.lacework.net |
| Australia and New Zealand (ANZ) | https://auprodn1.agent.lacework.net |
The default endpoint is https://api.lacework.net and the default region is US. If you do not specify this property, the agent assumes that the default region is US and uses the default endpoint https://api.lacework.net.
The following example shows you how to add the serverurl property in the config.json file:
{
"serverurl" : "Your_API_Endpoint"
}
Where Your_API_Endpoint is the endpoint for your region.
tags Property
Specify name/value tags to categorize your agents, for example, identifying critical assets. For more information, see Add Custom Agent Tags.
"tags":
{
"test_01": "Value_01",
"test_02": "Value_02"
}
tokens Property
To connect to the Lacework application, Lacework agents require an access token. For more information, see Obtain an Access Token for the Windows Agent.
"tokens": {"accesstoken": "Your_Access_Token"}
Where Your_Access_Token is an access token generated by Lacework.
File Integrity Monitoring (FIM) Properties
This section describes the File Integrity Monitoring (FIM) properties. For more information, see File Integrity Monitoring for Windows Overview.
The FIM properties must be specified within a single fim property in the config.json file, as shown in the following example:
"fim":
{
"filepath": ["%SystemRoot%\\System32\\drivers", "C:\\hello4?.txt", "C:\\Windows\\A*"],
"fileignore": ["C:\\hello?.txt", "C:\\hello45.txt", "C:\\Windows\\AA*", "C:\\Windows\\Logs*"]
}
note
Use double backslash (\\) when you specify Windows file paths. Double backslashes are necessary because the single backslash is an escape character in JSON files.
By default, Lacework configures the Windows agent File Integrity Monitoring (FIM) feature with default settings. For example, Lacework monitors a set of default paths as well as excludes monitoring a set of default paths.
You can override the default settings using the filepath property (to include in monitoring) and fileignore property (to exclude from monitoring) in the config.json file.
Adding a blank "fim" entry as shown below has no effect on the default parameters.
"fim":{}
However, no files will be monitored if you add an empty filepath property as shown below, and no files will be excluded from monitoring if you add an empty fileignore property as shown below.
"fim":
{
"filepath":[],"fileignore":[]
}
filepath Property
By default, Lacework monitors the following paths:
- Paths that are scanned recursively by default:
- C:\Program Files\
- C:\Program Files (x86)
- C:\Windows\System32\
- C:\Windows\SystemApps\
- C:\Windows\SysWOW64\
- C:\Windows\Microsoft.NET\
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- %Temp%
- Paths that are scanned non-recursively by default:
- C:\
- C:\Windows
You can override these default paths by specifying the filepath property in the config.json file.
"filepath": ["filepath1", "filepath2"...]
The following entry configures FIM to monitor C:\users\foo.txt and all files in C:\data\.
"filepath": ["C:\\users\\foo.txt", "C:\\data\\"]
note
Specifying additional file paths may temporarily increase scan time, CPU, memory, and network resource usage.
The filepath property supports the * and ? wildcards.
Example of the * wildcard
In this example, FIM monitors all files under C:\users\ folder that starts with the name foo. If the folder has foofile1.txt, foofile2.log, and nofoofile1.txt, FIM runs only on foofile1.txt and foofile2.log.
"filepath": ["C:\\users\\foo*"]
Example of the ? wildcard
In this example, FIM monitors all files under C:\users\ folder that starts with the name foo. If the folder has foo1file.txt, foo2file.txt, and foofile.txt, FIM runs only on foo1file.txt and foo2file.txt.
"filepath": ["C:\\users\\foo?file.txt"]
fileignore Property
By default, Lacework excludes monitoring a set of default paths. The list of default paths has been omitted for security reasons. Contact Lacework Support for more information.
You can override these ignored default paths by specifying the fileignore property in the config.json file.
"fileignore": ["filepath1, filepath2"...]
The following entry configures FIM to ignore the C:\backup\ folder and all files in it.
"fileignore": ["C:\\backup\\"]
The fileignore property supports the * and ? wildcards.
runat Property
By default, Lacework runs the FIM scan at an undetermined time once per day. To control the start time of the daily FIM scan, specify the runat property and enter the start time as HH:MM in the config.json file.
"runat": "HH:MM"
The following entry configures FIM to start scanning at 11:50 PM.
"runat": "23:50"
maxscanfiles Property
By default, Lacework runs the FIM scan on up to 500000 files. You can specify the maxscanfiles property in your config.json file to change the default. For example, to limit the FIM scan to 20000 files, specify:
"maxscanfiles": "20000"
mode Property
FIM is enabled by default on your host machine.
To disable FIM, specify the following in your config.json file:
"mode": "disable"
If FIM is disabled, you can enable it by deleting the following in your config.json file:
"mode": "disable"
noatime Property
The noatime property prevents atime from being used for metadata hash computation. The atime (access timestamp) is the last time a file was read. Someone used a program to display the contents of the file or read some values from it but nothing was edited or added to the file. Metadata is one of the dimensions of hash, used by the agent to determine if the file was changed. To prevent the use of atime, specify the following in your config.json file
"noatime": "true"
Windows Registry Monitoring Properties
This section describes the Windows registry monitoring properties. For more information, see Monitor Windows Registry Changes.
By default, registry monitoring is enabled.
To disable registry monitoring, add the following to the config.json file:
"registry": {
"enabled": "false",
}
If registry monitoring is disabled, do one of the following to enable it:
- Modify the
registryproperty in the config.json file as shown below:"registry": {
"enabled": "true",
} - Remove the following in the config.json file:
"registry": {
"enabled": "false",
}