Deployment
  • 14 Feb 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Deployment

  • Dark
    Light

Article summary

Events around the global status of the deployment, observable in D&R rules via the deployment target.

CLOUD_ADAPTER_DISABLED

This event is emitted when a Cloud Adapter gets disabled because it has been erroring for a long period of time.

Sample Event:

{
  "event":{
    "error": "invalid api key"
  },
  "routing": {
    "event_time": 1644444297696,
    "event_type": "cloud_adapter_disabled",
    "oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd"
  }
}

DELETED_SENSOR

Deleted Sensor deployment events are produced when a sensor that was previously deleted from an Org attempts to connect to the LimaCharlie cloud.

Sample Event:

{
  "routing": {
    "oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
    "iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
    "sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
    "plat": 536870912,
    "arch": 2,
    "ext_ip": "104.196.34.101",
    "int_ip": "172.17.0.2",
    "hostname": "linux-server-1",
    "event_type": "deleted_sensor",
    "event_time": 1561741553230
  },
  "event": {
    "denied_for": "720h0m0s"
  }
}

ENROLLMENT

Enrollment deployment events are produced when a sensor enrolls into the organization for the first time.

Sample Event:

{
  "routing": {
    "oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
    "iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
    "sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
    "plat": 536870912,
    "arch": 2,
    "event_type": "enrollment",
    "event_time": 1561741553230
  },
  "event": {
    "public_ip": "104.196.34.101",
    "internal_ip": "172.17.0.2",
    "host_name": "linux-server-1"
  }
}

QUOTA_CHANGED

Quota changed events are emitted when the quota for an Organization changes.

Sample Event:

{
  "event":{
    "new_quota": 30,
    "old_quota": 25
  },
  "routing": {
    "event_time": 1644444297696,
    "event_type": "quota_changed",
    "oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd"
  }
}

SENSOR_CLONE

Sensor clone events are generated when the LimaCharlie Cloud detects that a specific Sensor ID may have been cloned. Cloning means the same SID is associated with two different hosts at the same time. This is most often due to a machine image being created with a LC sensor installed on it, and then being deployed multiple times.

Sample Event:

{
  "routing": {
    "oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
    "iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
    "sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
    "plat": 536870912,
    "arch": 2,
    "event_type": "sensor_clone",
    "event_time": 1561741553230
  },
  "event": {
    "previous_hostname" : "server-1",
    "new_hostname" : "server-2"
  }
}

SENSOR_CRASH

This event is generated when a sensor has crashed. It will include some telemetry useful to help LimaCharlie troubleshoot the crash.

Sample Event:

{
  "routing": {
    "arch": 2,
    "event_time": 1670861698000,
    "event_type": "sensor_crash",
    "hostname": "linux-server-1",
    "ext_ip": "104.196.34.101",
    "int_ip": "172.17.0.2",
    "oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd",
    "plat": 268435456,
    "iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
    "sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81"
  },
  "event": {
    "crash_context": {
      "FILE_ID": 63,
      "LINE_NUMBER": 1216,
      "THREAD_ID": 7808
    }
  }
}

SENSOR_OVER_QUOTA

Over quota deployment events are produced when a sensor tries to connect but the organization quota is already reached.

Sample Event:

{
  "routing": {
    "oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
    "iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
    "sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
    "plat": 536870912,
    "arch": 2,
    "event_type": "sensor_over_quota",
    "event_time": 1561741553230
  },
  "event": {
    "public_ip": "104.196.34.101",
    "internal_ip": "172.17.0.2",
    "host_name": "linux-server-1"
  }
}

Was this article helpful?