Audit Agent Installation

AuditIQ Unified Agent Installer

Overview

The AuditIQ Agent Suite is a comprehensive monitoring and security solution tailored for Magento/Adobe Commerce environments. The complete suite consists of four distinct agents:

1. Magento Agent: An application-level module installed directly into your Magento codebase via Composer (Out of scope for this script). You can find installation here Magento Agent.

2. Server Agent: Monitors system performance metrics, MySQL, and executes health checks.

3. Security Agent: Provides Host Intrusion Detection (HIDS) and File Integrity Monitoring (FIM).

4. LogHub Agent: Scrapes and centralizes application logs.

This installation script automates the deployment of the 3 infrastructure-level agents (Server, Security, and LogHub) across your instances.

Features

• Role-Based Deployment: Intelligently installs components based on the server's role. For instance, LogHub and Magento FIM rules are only installed on Web nodes, while MySQL monitoring is configured for Database nodes.

• Symlink-Aware FIM: Automatically configures a cron job (update-fim-directories.sh) for Web nodes to ensure the Security Agent always monitors the active Magento or Adobe Commerce release directory, even after new deployments.

• Architecture Auto-detection: Seamlessly detects OS (Debian/Ubuntu vs. RHEL/Fedora) and CPU Architecture (amd64 vs. arm64) to download the correct packages.

• Magento/Adobe Commerce Logging: LogHub is pre-configured to capture only Magento and Adobe Commerce application logs (System, Exception, Debug, and Reports), excluding noisy OS logs to reduce bandwidth and storage overhead.

Prerequisites

• OS: Linux (Ubuntu/Debian or CentOS/RHEL/AlmaLinux).

• Permissions: Must be run as root or with sudo.

• Credentials Ready: You will need your Server Agent API Key, LogHub API Key, and Wazuh Agent ID (provided by AuditIQ Support/Portal).

Installation Methods

1. Interactive Mode (Recommended for single nodes)

Simply run the script without any arguments. It will prompt you for all necessary information step-by-step.

curl -sSL https://files.auditiq.cloud/scripts/installation_script.sh -o installation_script.sh  chmod +x installation_script.sh  sudo ./installation_script.sh   

2. Silent / Automated Mode (For CI/CD & Bulk Deployment)

Bypass interactive prompts by passing all configuration data as command-line arguments. This is ideal for infrastructure-as-code tools (Ansible, Terraform) or automated provisioning.

Example for a Web + DB Node:

curl -sSL https://files.auditiq.cloud/scripts/installation_script.sh -o installation_script.sh  chmod +x installation_script.sh  sudo ./installation_script.sh --silent \    --server-name "prod-web-01" \    --api-key "YOUR_SERVER_API_KEY" \    --wazuh-id "YOUR_WAZUH_ID" \    --loghub-api-key "YOUR_LOGHUB_API_KEY" \    --environment "production" \    --is-web \    --is-db \    --magento-dir "/web/current"   

3. Available Arguments

Flag	Description	Default
--silent	Run without interactive prompts	false
--main-key	Your Master API Key from the Portal.	None (Required)
--server-name	Hostname/Tag for the agents.	hostname -s
--environment	staging or production.	None (Required)
--server-url	Override the default Portal URL (for dev/testing).	https://portal.auditiq.cloud/
--is-web	Flag to configure as a Web Node (Installs LogHub).	false
--is-db	Flag to configure as a Database Node.	false
--magento-dir	Path to Magento root (for FIM & Logs).	/web/current

Important Configuration Notes

LogHub Scope

To adhere to strict data requirements, the LogHub Agent is configured to collect only Magento and Adobe Commerce application logs. System logs such as Nginx, Apache, HAProxy, or OS Syslog are not collected by this installer to ensure optimal performance and focus.

PHP-FPM Monitoring (Manual Action Required)

Automatic configuration for PHP-FPM status monitoring has been excluded from this script due to the variability and fragility of PHP configurations across different servers. To enable the AuditIQ Server Agent to collect PHP performance metrics (active/idle processes, requests per second), you must manually enable the PHP-FPM Status Page.

Step 1: Enable the Status Path in PHP-FPM

1. Locate your PHP-FPM pool configuration file:

   • Ubuntu/Debian: Usually in /etc/php/{version}/fpm/pool.d/www.conf

   • CentOS/RHEL: Usually in /etc/php-fpm.d/www.conf

2. Open the file, find the directive pm.status_path, uncomment it, and set the value

   pm.status\_path = /php-fpm-status

Step 2: Configure Web Server (Nginx Example) to Expose the Path

Since the agent communicates via HTTP/Localhost, you need to tell Nginx to handle this specific path. Add the following location block to your virtual host configuration._Crucial: Ensure it is only accessible from 127.0.0.1 for security.

location ~ ^/(php-fpm-status)$ {
    access_log off;
    allow 127.0.0.1;
    deny all;
    include fastcgi_params;

    # Adjust the socket path to match your system (e.g., php8.1-fpm.sock)
    fastcgi_pass unix:/var/run/php/php-fpm.sock; 
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Step 3: Restart Services and Verify

1. Restart PHP-FPM and Nginx

sudo systemctl restart php8.1-fpm  # Adjust version accordingly
sudo systemctl restart nginx

2. Test connectivity from the terminal

curl http://127.0.0.1/php-fpm-status

• Success: You will see a text output starting with pool: www.
• Failure: You get a 404 or 403 error. Check Step 1 and 2 again.

Step 4: Configure the AuditIQ Agent

Once the URL is working, register it in the AuditIQ agent configuration file.

1. Edit /etc/auditiq-agent.conf:

# Add or uncomment this line
php_fpm_status_path = /php-fpm-status

2. Restart the agent:

sudo systemctl restart auditiq-agent

Troubleshooting

"Error: Failed to connect to server or empty response"

• Check your internet connection.

• Verify the --server-url is reachable.

• Ensure your Main API Key is correct.

"Error: Could not retrieve AuditIQ/LogHub Key..."

• This indicates the Main API Key is valid, but the associated account does not have the required agent keys generated on the backend. Contact Support.

My Magento / Adobe Commerce path is different

• If your Magento or Adobe Commerce installation is not at /web/current, please specify it when prompted or use the --magento-dir flag. This is critical for File Integrity Monitoring (FIM) and Log Collection.