Jamf Nation Community

ImAMacGuy · ‎02-24-2020

Does anybody have a way to look for Rapid 7 and it's version? it doesn't seem to put anything in the /Applications folder.

mm2270 · ‎02-25-2020

I would probably do this

grep "Agent Info" /opt/rapid7/ir_agent/components/insight_agent/common/agent.log | tail -n1 | tr ' ' '
' | awk '/Version:/{getline; print}'

That should print out just 1.4.84 based on your example above. But you'll need to test it to see of course.

View solution in original post

ImAMacGuy · ‎02-25-2020

this is how the rapid7 doc says to check the version number... what would be the easiest way to grab just the portion after "Version:"

Check the version number

sudo grep "Agent Info" /opt/rapid7/ir_agent/components/insight_agent/common/agent.log | tail -n1

The output should appear in the following form:

2018-03-20 18:03:02,434 [INFO] agent.agent_beacon: Agent Info -- ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Version: 1.4.84 (1519676870)

mm2270 · ‎02-25-2020

I would probably do this

grep "Agent Info" /opt/rapid7/ir_agent/components/insight_agent/common/agent.log | tail -n1 | tr ' ' '
' | awk '/Version:/{getline; print}'

That should print out just 1.4.84 based on your example above. But you'll need to test it to see of course.

ImAMacGuy · ‎02-25-2020

awesome thank you @mm2270! Worked perfectly!

bmee · ‎04-28-2020

I tried using this in EA and it doesn't seems to work but it works if i ran as a policy or root user in terminal. any idea what i'm doing wrong?

dmahase · ‎04-30-2020

@bmee

#!/bin/sh
echo "<result>`grep "Agent Info" /opt/rapid7/ir_agent/components/insight_agent/common/agent.log | tail -n1 | tr ' ' '
' | awk '/Version:/{getline; print}'`</result>"

jkb · ‎04-30-2020

I have a few EAs for Rapid 7 I've put together, including my take on the client version. Hopefully they are helpful.

Rapid7 Insight IRD ClientID

#!/bin/sh

# Report the version of the Rapid7 Agent if installed
# ClientIDs can be found in https://insight.rapid7.com/platform#/datacollection

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    clientID=$(grep -Eio '"Client-ID":.*?[^\]"' /opt/rapid7/ir_agent/components/bootstrap/common/bootstrap.cfg | awk -F'[/:]' '{print $2}' | sed -e 's/[{"]/''/g')
else
    clientID="Agent Not Installed"
fi
# Report the result to the JSS.
echo "<result>$clientID</result>"

Rapid7 Insight IRD Bootstrap Component Version

#!/bin/bash

# Report the version of the Rapid7 Bootstrap Component if installed

# From Rapid7 Support:
# The agent has a bootstrap component that is running 1.2.x and this is the command and control for the agent, 
# it stops and starts the agent as well as updates it. The agent itself is the 2.7.x version, which is updated 
# more regularly for things like bug fixes and content patches and general improvements. 
# The bootstrap gets updated too but not as often.


if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    versionCheck=$(/opt/rapid7/ir_agent/ir_agent -version | awk '/SemanticVersion/ {print $2}' | sed s/"//g)
else
    versionCheck="Bootstrap Component Not Installed"
fi
# Report the result to the JSS.
echo "<result>$versionCheck</result>"

Rapid7 Insight IRD Agent Version

#!/bin/bash

# Report the version of the Rapid7 Agent if installed

# From Rapid7 Support:
# The agent has a bootstrap component that is running 1.2.x and this is the command and control for the agent, 
# it stops and starts the agent as well as updates it. The agent itself is the 2.7.x version, which is updated 
# more regularly for things like bug fixes and content patches and general improvements. 
# The bootstrap gets updated too but not as often.

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    versionCheck=$(/opt/rapid7/ir_agent/components/insight_agent/insight_agent --version | awk '/Semantic/ {print $3}')
else
    versionCheck="Agent Not Installed"
fi
# Report the result to the JSS.
echo "<result>$versionCheck</result>"

Rapid7 Asset Info Last Collection Time

#!/bin/sh

# Report the value of the Rapid7 Agent's "asset_info_last_collection_time", which seems like a good proxy for client-to-server heartbeat

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    lastCollected=$(date -r $(cat /opt/rapid7/ir_agent/components/insight_agent/common/config/agent.jobs.tem_realtime.json | awk '/asset_info_last_collection_time/ {print$2}' | sed s/,//g))
else
    lastCollected="Agent Not Installed"
fi
# Report the result to the JSS.
echo "<result>$lastCollected</result>"

Rapid7 Remote Execution Last Collection Time

#!/bin/sh

# Report the value of the Rapid7 Agent's "remote_execution_last_collection_time", which seems like a good proxy for when the client last checked for agent or metadata updates from Rapid7

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    lastExecuted=$(date -r $(cat /opt/rapid7/ir_agent/components/insight_agent/common/config/agent.jobs.tem_realtime.json | awk '/remote_execution_last_collection_time/ {print$2}' | sed s/,//g))
else
    lastExecuted="Agent Not Installed"
fi
# Report the result to the JSS.
echo "<result>$lastExecuted</result>"

jkb

Todai · ‎03-15-2023

I just stumbled upon your Rapid7 EA's and I had to log in and say thank you. These are amazing!

user-ycLwhymtXQ · ‎03-25-2024

Your EA's are great.

Do you know how to add date format string "+%Y-%m-%d %H:%M:%S" to the date command so the date is in a more chronologically sortable string?

saikat_tripathi · ‎06-04-2021

@dmahase Your solution worked for me. Thank you.

dstranathan · ‎08-19-2024

Old post, sorry. Just got R7 and was looking for EA ideas.

I was able to use a specific binary to get the agent's version (not depend on a log file entry). Example below:

#!/bin/zsh

R7_INSIGHT_AGENT="/opt/rapid7/ir_agent/components/insight_agent/insight_agent"

if [[ -e "${R7_INSIGHT_AGENT}" ]]; then
RESULT=$( ${R7_INSIGHT_AGENT} --version | awk '/Semantic/ {print $3}' )
else
RESULT="Missing"
fi
echo "<result>${RESULT}</result>"

Jamf Nation Community

EA for Rapid 7?