Linux - Forensics - Get Automox Agent Log (Amagent.log)

What the Automox Agent Log Retriever does

This Automox Worklet™ retrieves the contents of the Automox Agent Log (amagent.log) from Linux endpoints and outputs the results to the Automox Activity Log. The amagent.log captures detailed information about Automox Agent operations, including policy execution, update checks, and runtime events. This Worklet supports four retrieval modes to fit different troubleshooting scenarios.

The Worklet first evaluates whether the amagent.log file exists at /var/log/amagent/amagent.log. If the file is present, the Worklet flags the endpoint for remediation. The remediation phase then retrieves log entries based on your chosen mode and outputs them to the Activity Log where you can review them in the Automox console.

Why retrieve Automox Agent logs

Automox Agent logs provide critical visibility into agent health and behavior. When an endpoint behaves unexpectedly or fails to complete policy actions, the agent log contains diagnostic information that explains what occurred. Retrieving these logs accelerates troubleshooting by centralizing log data in the Automox console where your IT operations team can review it alongside other activity records.

Log retrieval also supports forensic and compliance investigations. You can capture logs from a specific date to audit agent activity during a security event, review policy execution history, or validate that the agent is functioning correctly across your fleet. The flexible modes let you retrieve the most recent activity or focus on historical records as needed.

How log retrieval works

1. Evaluation phase: The Worklet checks whether the file /var/log/amagent/amagent.log exists on the endpoint. If the file is present, the Worklet flags the endpoint as eligible and schedules remediation. If the file does not exist, the Worklet exits without taking action.

2. Remediation phase: Based on the configured mode, the Worklet retrieves logs using tail, cat, or grep commands. Mode 1 retrieves the last 100 lines (default). Mode 2 retrieves the entire log file. Mode 3 retrieves all entries from a specified date. Mode 4 retrieves the last 100 lines from a specified date. The retrieved logs are output to standard output, which Automox captures and stores in the Activity Log.

Log retrieval requirements

• Linux operating system (any distribution with bash shell)

• Automox Agent installed and running with amagent.log file present at /var/log/amagent/amagent.log

• Read permissions on the amagent.log file (typically available to the Automox Agent user)

• For Mode 3 and Mode 4 (date-filtered queries): Set the desired_date variable in the Worklet configuration to the target date in yyyy/mm/dd format

Expected results after log retrieval

After the Worklet executes successfully, the amagent.log contents appear in the Automox Activity Log for the endpoint. You can view the logs directly in the console Activity tab. The output displays agent startup events, policy execution records, error messages, and other operational events. The exact content depends on which mode you configured and how long the agent has been running.

If you configured Mode 3 or Mode 4 with a specific date, you see only log entries from that date. This approach simplifies forensic investigations by isolating logs to the relevant timeframe. You can verify agent health by reviewing policy execution status, checking for error messages, and confirming that expected policies were evaluated and applied on the target date.

How to validate get automox agent log (amagent.log) changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for get automox agent log (amagent.log).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, tail, cat, then rerun evaluation for compliance.