If your environment does not allow the Collector to directly connect with the LogicMonitor data centers, you can configure the Collector to communicate through an HTTP proxy.

Updating SSL and Proxy Settings

By default, collectors are not configured to use proxies. To communicate with HTTP proxies, you need to make updates to several proxy settings located in the collector’s agent.conf file. For detailed instructions on editing the agent.conf file, see Editing the Collector Config Files.

Once updated, the new settings should look similar to these:

# SSL & Proxy settings
ssl.enable=true
proxy.enable=true
proxy.host=10.0.0.54
proxy.port=8080
proxy.user=domain\username
proxy.pass=password
proxy.exclude=
proxy.global=false
proxy.pass.isencrypted=false

These new settings designate the following:

• ssl.enable=true Indicates that the collector will make outbound connection using SSL.
• proxy.enable=true Indicates that the collector will use these settings.
• proxy.host= Indicates the IP address of the proxy server.
• proxy.port= Indicates the port the proxy server uses.
• proxy.user= Indicates the username the collector uses when connecting to the proxy.
• proxy.pass= Indicates the password the collector uses when connecting to the proxy.
• proxy.pass.isencrypted= Indicates if the proxy password is encrypted or not.

Changing Proxy Password

If a proxy server has password-based authentication, its credentials are stored in the proxy.user and proxy.pass fields. The proxy password is encrypted. To indicate the encryption, the proxy.pass.isencrypted is set to true. You can set proxy.pass.isencrypted= false if you want to change the proxy password.

1. Navigate to Settings > Collectors.
2. Under the Collectors tab, select the collector you want to configure.  
3. Select the More option and then select Collector Configuration.
   
   On the Collector Configuration page, settings under the Agent Config tab are displayed.
4. Scroll to locate the SSL and Proxy settings.
5. Enter a new password in plain text in the proxy.pass field.
6. Set the proxy.pass.isencrypted value to false.
   
7. Select Save and Restart.
   After the restart, observe that the password is encrypted and the proxy.pass.isencrypted field is set to true.

Troubleshooting Collector Proxy Configuration

We have highlighted some common issues experienced (and how to resolve them) when configuring collectors to be used with HTTP proxies.

Issue: Proxy Authentication Required

When the collector is configured to use a proxy that requires basic authentication, the collector may throw the following exception:

[MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:461] Unexpected status encountered from server. Will retry., CONTEXT=retry=30s, statusCode= 500, errMsg=Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

In this case, you will want to add the following configuration to the collector’s wrapper.conf:

wrapper.java.additional.16=-Djdk.http.auth.tunneling.disabledSchemes=

Issue: Invalid SSL Certificate

If a collector does not get a valid SSL certificate issued directly from LogicMonitor, it will fail to properly start. In the below example, all SSL certificates in the client environment were being intercepted and reissued using special security software (example, Blue Coat Proxy).

[03-26 15:53:03.222 EDT] [MSG] [INFO] [statusmonitor:::] [StatusListener$1.run:106] Receive peer request, CONTEXT=command=keepalive, charset=windows-1252, peer=/***.***.***.***:******
[03-26 15:53:03.268 EDT] [MSG] [WARN] [statusmonitor::scheduler:] [PropertyFilePersistentHandler._load:94] task file not found, CONTEXT=filename=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf, EXCEPTION=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
java.io.FileNotFoundException: C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.santaba.common.util.scheduler.impl.PropertyFilePersistentHandler._load(PropertyFilePersistentHandler.java:88)
at com.santaba.common.util.scheduler.impl.PropertyFilePersistentHandler.<init>(PropertyFilePersistentHandler.java:30)
at com.santaba.common.util.scheduler.Schedulers.newPersistentScheduler(Schedulers.java:17)
at com.santaba.agent.collector3.CollectorDb._newScheduler(CollectorDb.java:172)
at com.santaba.agent.collector3.CollectorDb.<init>(CollectorDb.java:68)
at com.santaba.agent.collector3.CollectorDb.<clinit>(CollectorDb.java:65)
at com.santaba.agent.agentmonitor.StatusListener._getAgentStatusResponse(StatusListener.java:279)
at com.santaba.agent.agentmonitor.StatusListener$1.run(StatusListener.java:117) /
[03-26 15:53:03.947 EDT] [INFO] [1] [default] [controller] [Controller2._initHttpService:469] Agent starting with ID - 00baae57-3971-4239-9610-b512aae9c21csbagent
[03-26 15:53:04.232 EDT] [MSG] [INFO] [main::controller:main] [SSLUtilities.checkCertificates:160] Invalid or wrong SSL Certificates found, CONTEXT=info=Found total 2 certificates:
Subject: CN=*.logicmonitor.com, OU=Domain Control Validated
Issuer: CN=SSLInterception87
Type: X.509
SHA1: 9a:a6:ff:33:85:cc:13:4c:3a:13:11:77:5c:ef:5e:a7:74:65:6b:de
MD5: 61:35:08:b5:ec:71:a2:ae:05:c4:7f:54:f1:aa:6f:ad
Valid from: 2017-04-19 10:02:01 -0400
Valid to: 2020-06-18 17:33:09 -0400Subject: CN=SSLInterception3
Issuer: CN=BillyBob's-CA, DC=slhn, DC=org
Type: X.509
SHA1: 6b:a8:1f:61:7b:5d:f0:e4:ee:7e:6a:1b:bb:18:de:67:be:5c:44:1d
MD5: d0:fc:64:da:6f:9b:1f:8d:1a:52:64:dc:41:da:e7:1c
Valid from: 2017-08-09 15:08:18 -0400
Valid to: 2021-10-03 08:53:12 -0400 */
[03-26 15:53:04.232 EDT] [MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:322] SANTABA SERVER ceriticates not trusted, CONTEXT=Host=generic-customer.logicmonitor.com, port=443

Solution A (Preferred)

Have the local administrator add the SSL certificate to your allow list so that it comes into the network unmodified by a proxy/firewall. This is the preferred option because it preserves security.

Solution B

Change the collector configuration setting from:

EnforceLogicMonitorSSL=true

to:

EnforceLogicMonitorSSL=false

Removing SSL enforcement lowers the security of the connection between your collector and LogicMonitor and, for this reason, should be carefully considered before implementing.

You can control the behavior of LogicMonitor collectors using configuration files. Configuration files are located in the collector’s installation directory at the following default file path:

• Linux – /usr/local/logicmonitor/agent/conf
• Windows – C:\Program Files (x86)\LogicMonitor\Agent\conf

You can view and update the settings in the collector configuration files on a per-collector basis on the LogicMonitor user interface.

It is recommended that you use the LogicMonitor user interface to update the settings in the collector configuration files instead of editing the files manually. You can manually modify the local collector configuration files at your own risk.

Editing Collector Configuration

1. Navigate to Settings > Collectors.
2. Under the Collectors tab, select the collector you want to configure.  
3. Select the More option and then select Collector Configuration.
   
   On the Collector Configuration page, settings under the Agent Config tab are displayed. You can select the WatchDog Config, Wrapper Config, Sbproxy Config, and Website Config tabs to access more settings.
   
4. Manually edit the settings.
5. Select Save and Restart to restart the collector and apply the changes.

WinRM is Microsoft’s implementation of WS-Management Protocol, a standard SOAP-based firewall friendly protocol that allows hardware and operating systems from different vendors to interoperate. Thus, WinRM provides a way to get management data from a local computer or a remote computer using WS-Management protocol.

Prerequisites

You must meet the following prerequisites to configure and use WinRM to query data.

• You must install EA Collector 35.400 or a later version.
• You must create and enable an HTTPS listener on the Windows devices. See, Creating an HTTPS Listener (port 5986).

Creating Domain User

You can create a new domain user or use an existing domain user. However, ensure that the domain user is not a member of the Administrators group. If you are going to create a new domain user, it is recommended that you first create a domain user and then install the collector using that domain user.

1. Navigate to Server Manager > Tools > Active Directory Users and Computers. 
2. Go to the domain that you want to use for WinRM and right-click Users and select New.
3. Enter the new user details and select Next.
   
4. Enter a password and confirm it, and then select Next.
   
5. Check details and select Finish.
   

Creating an HTTPS Listener (port 5986)

An HTTPS listener must be created and/or enabled on the Windows devices. If you do not have an HTTPS listener created for WinRM, follow the steps given below:

1. Run the command WinRM e winrm/config/listener in cmd_prompt to check if port 5986 is already enabled on WinRM service.
2. Use a certificate signed by a trusted Certificate Authority (CA).

3. Copy the thumb print of the existing certificate and run the following command on PowerShell.
   winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}‘
4. To verify if the listener is created, run the command WinRM e winrm/config/listener in cmd_prompt to print details of port 5985 and 5986.
5. To add a new firewall inbound rule to allow all connections for port 5986 (TCP), follow these steps:
   1. Search and select the Windows Firewall with Advanced Security option. The Windows Firewall with Advanced Security window is displayed.
   2. In the left navigation, right-click Inbound Rules and select New Rule. The New Inbound Rule Wizard window is displayed.
   3. Select the Port radio button and select Next.
   4. Select the TCP radio button.
   5. Select the Specific local ports radio button and enter 5986 in the blank field. Select Next. 
   6. Select the Allow the connection radio button and select Next.
   7. Select the Domain, Private, and Public checkboxes and select Next.
   8. Enter a rule name in the Name field and select Finish.

Setting Up WinRM Enabled Collector

To setup WinRM enabled collector, follow these steps:

1. Install Windows collector
2. Configure WinRM properties
3. Automate WinRM non-admin configuration
4. Create GPO policy
5. Add WinRM tasks to the GPO policy
6. Restart remote machine

Installing Windows Collector

Follow the instructions given in Installing Collectors to install Windows Collector. Ensure that you install EA Collector 35.400 or a later version.

Configuring WinRM Properties

To use the WinRM data collection feature using HTTP (port 5985), you must configure the following properties.

Restart the collector after you update the configuration files with the properties. 

Automating WinRM Non-admin Configuration

We have automated the WinRM non-admin configuration process by adding Windows_NonAdmin_Config.ps1. You must consider the following points about the scripts:

• The scripts are bundled with the Windows collector installer. 
• After installing collector, go to \LogicMonitor\Agent\bin and move the scripts to the netlogon folder. 
• All the machines in the domain must have access to the netlogon folder in order to access this script when executed through Group Policy (GPO).

In case of access issue, see Microsoft documentation.

Creating GPO Policy

1. Navigate to Server Manager > Tools > Group Policy Management.
2. Right-click the domain you want to use and select Create a GPO in this domain, and Link it here…
   
3. Enter a name for the new GPO policy (for example, WinRM Configuration) and then select OK. Note that the Source Starter GPO will remain (none).
   
4. Right-click the newly created GPO policy and select Edit to add WinRM tasks.
   

Adding WinRM Tasks to GPO Policy

1. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup / Shutdown) and select Startup.
   
   A Startup Properties dialogue box is displayed.
2. Under the Scripts tab select Add.
   
   An Add a Script dialogue is displayed.
3. On the Add a Script dialogue, enter the following details.
   1. In the Script Name field browse for the PowerShell.exe path. Typically, the path is C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Note: If the path differs, browse for the specific folder where you have placed the Powershell.exe.
   2. In the Script Parameters field enter the following parameters for the script.
      -Noninteractive -ExecutionPolicy Bypass -Noprofile -file \\<IP_Address_of_DC>\netlogon\Windows_NonAdmin_Config.ps1 -add -UserName logicmonitor\DomainUser01
      
4. Select OK and then select Apply.

Restarting Domain Machine

1. Open PowerShell terminal and run gpupdate/force.
   
2. Once the user policy is successfully updated, restart the domain machines.

To manually perform the above setup, see Windows Server Monitoring and Principle of Least Privilege.

Using the Debug Command to Verify Configuration

When the configuration is complete, you can run the !winrm debug command to verify the WinRM setup. In addition, you can run !winrm for any query to get the output. When the debug command runs successfully, it prints the output of the query. The format of the debug command is as follows:

!winrm host=<Computer Name> [auth=<Auth Type>] [useSSL=true|false] [certCheck=true|false] [username=foo] [password=var] [query=winrmquery]

The properties in this debug command are described in the following table:

 The following is an example of a query input:

!winrm host=EC2AMAZ-93376C4.logicmonitor.com auth=Kerberos username=LOGICMONITOR\WinUser01 password=WinPass@123 useSSL=false certCheck=false

Rolling Back WinRM Configuration

You can revert the changes done by the Windows_NonAdmin_Config.ps1 script. Refer the following example:

• -Noninteractive -ExecutionPolicy Bypass -Noprofile -file \\<IP_Address_of_DC>\netlogon\Windows_NonAdmin_Config.ps1 -remove -UserName logicmonitor\ScriptTestUser01

Follow the steps given in Adding WinRM Tasks to GPO Policy section but run the scripts with remove flag to roll back WinRM configuration.

Troubleshooting

WQL filter issue for groovy scripts modules containing wmi.queryfirst() and wmi.queryAll()

WQL filter supports the following 2 formats:

• Format 1 – “select * from win32_bios where NAME LIKE ‘%’” – Double quotes surround the WQL and the clause value is enclosed with single quotes.
• Format 2 – ’select * from win32_bios where NAME LIKE “%” ’- Single quotes surround the WQL and the clause value is enclosed with double quotes.

WinRM (when you set wmi.winrm.enable= true) supports only the format 2. If you have enabled WinRM and if for custom datasource you use the format 1, then you will see errors on calling wmi.queryFirst() / wmi.queryAll() in the groovy script. To avoid the errors, we recommend you to use the format 2.

Intermittent issue – Network path not found

Due to issues with network or domain you may get the “Network path not found” message.

Error Message : Exception calling "Invoke" with "2" argument(s): "The network path was not found.".Exception.Messages

When you find this error message in the logs, to troubleshoot it, reapply the scripts as a fresh task.

To migrate service account to non-admin user separately, see Migrating Windows Collector from Admin to Non-admin User.

LogicMonitor Collectors have configuration files that can be used to control their behavior. The most robust of these configuration files is the agent.conf file. Data collection, Active Discovery, auto properties, event collection, and many other Collector-specific behavior settings are maintained by this configuration file.

The agent.conf file is located in the Collector’s installation directory. The default file path is:

• Linux Collectors: /usr/local/logicmonitor/agent/conf/agent.conf
• Windows Collectors: C:\Program Files\LogicMonitor\Agent\conf\agent.conf

As discussed in Editing the Collector Config Files, it is highly recommended that any changes or additions to the agent.conf file be made via the LogicMonitor UI (from the Collectors page) as there are safeguards in place to prevent errors. Manually modifying this file from the local Collector is not recommended and is performed at your own risk.

There are more than 600 settings that can be configured in the agent.conf file, providing you with very granular control of your Collector’s behavior and operations. Some settings display in the file by default; some may need to be added if you’d like to override the default values that are defined in the code. All values declared in the agent.conf file supersede values defined in the code.

Note: In the majority of cases, your Collector will run as needed out of the box as long as it is appropriately sized. As a general rule, we recommend approaching the customization of agent.conf settings with caution and, ideally, at the direction of a support representative.

Settings are listed next, organized by function.

General Collector Settings

Data Collection Method Settings

Data collection settings are organized by the following data collection methods:

Global Data Collection Settings

AWS Data Collection Settings

BatchScript Data Collection Settings

CIM Data Collection Settings

Data Pump Data Collection Settings

DNS Data Collection Settings

ESX Data Collection Settings

JDBC Data Collection Settings

JMX Data Collection Settings

Memcached Data Collection Settings

Mongo Data Collection Settings

NetApp Data Collection Settings

Perfmon Data Collection Settings

Ping Data Collection Settings

Script Data Collection Settings

SDK Script Data Collection Settings

SNMP Data Collection Settings

TCP Data Collection Settings

UDP Data Collection Settings

Webpage Data Collection Settings

WMI Data Collection Settings

Xen Data Collection Settings

Event Collection Method Settings

Event collection settings are organized by the following collection methods:

• Global
• HTTP
• Log file
• Script
• SNMP trap
• Syslog
• Windows event log

Global Event Collection Settings

HTTP Event Collection Settings

Log File Event Collection Settings

Script Event Collection Settings

SNMP Trap Event Collection Settings

Syslog Event Collection Settings

Windows Event Log Collection Settings

Active Discovery Settings

AutoProperties Settings

ConfigSource Settings

Credential Vault Settings

The following table lists the configuration properties to set in the Collector agent.conf.

CSProxy Settings

LM Logs

For more information about syslog properties, see Configuring Resource Mapping in Sending Syslog Logs.

Logger Settings

Logger settings control Collector logging. They are not related to LM Logs or EventSources.

Network Traffic Flow (NetFlow) Settings

PowerShell Settings

Proxy and SSL Settings

Remote Session Settings

SBProxy Settings

SSE Settings

Topology Mapping Settings

Watchdog Settings

This feature is available for Collector versions 29.100 or higher.

Overview

Collector scripts require authentication tokens to communicate with certain entities. In older versions of the Collector, these Auth tokens are stored in files, which means that read and write operations are done in every LogicModule that needs to access the files. Collector versions 29.100 or higher allow you to store these Auth tokens in a cache between collection intervals until the token expires.

Using ScriptCache

The ScriptCache class contains the following methods:

The expireIn value is optional and can be set for each key that is stored in the cache. If the value is not set for a particular key, the default expire timeout will be the value set in the collector.script.cache.timeout in agent.conf. For example:

collector.script.cache.timeout=30 //30 minutes

New scripts with ScriptCache won’t work with older versions of the Collector. Importing ScriptCache will throw an exception in older collectors. The following script example will work in all Collectors:

def scriptCache
try {
    scriptCache = this.class.classLoader.loadClass("com.santaba.agent.util.script.ScriptCache").getCache();
    //new way
    String token = scriptCache.get("token1");
    if(token == null){
         //make connection, fetch new token and store it in cache
         scriptCache.set("token1", "asfioajfiqu920200rdaoj9au");
    } else{
         //make connection
    }
} catch (Exception ex) {
    //old way
}

In this script, if the import statement fails for the ScriptCache class, it will default to the old way of saving tokens with files. If it passes, it will use ScriptCache.

You can control the behavior of LogicMonitor Collectors using configuration files. The agent.conf configuration file is located in the Collector’s installation directory in the following default file path:

• Linux: /usr/local/logicmonitor/agent/conf
• Windows: C:\Program Files\LogicMonitor\Agent\conf

You can view and update the settings in the agent.conf on a per-collector basis in the LogicMonitor user interface.

Editing the Collector Configuration Files

1. Navigate to Settings > Collectors.
2. From the Collectors page, find the Collector you want to configure and click the Settings icon in the Manage column to display its settings.
3. Click Support, and then select “Collector Configuration.”

   

4. Open the configuration file you want to edit.
5. Toggle the Edit <name>.conf manually switch to manually edit the file.

   

6. Click the Save and Restart button to restart the Collector and apply the changes to the configuration file.

If your environment does not allow the Collector to directly connect with the LogicMonitor data centers, you can configure the Collector to communicate through an HTTP proxy.

Updating SSL and Proxy Settings

By default, collectors are not configured to use proxies. To communicate with HTTP proxies, you need to make updates to several proxy settings located in the collector’s agent.conf file. For detailed instructions on editing the agent.conf file, see Editing the Collector Config Files.

Once updated, the new settings should look similar to these:

# SSL & Proxy settings
ssl.enable=true
proxy.enable=true
proxy.host=10.0.0.54
proxy.port=8080
proxy.user=domain\username
proxy.pass=password
proxy.exclude=
proxy.global=false
proxy.pass.isencrypted=false

These new settings designate the following:

• ssl.enable=true Indicates that the collector will make outbound connection using SSL.
• proxy.enable=true Indicates that the collector will use these settings.
• proxy.host= Indicates the IP address of the proxy server.
• proxy.port= Indicates the port the proxy server uses.
• proxy.user= Indicates the username the collector uses when connecting to the proxy.
• proxy.pass= Indicates the password the collector uses when connecting to the proxy.
• proxy.pass.isencrypted= Indicates if the proxy password is encrypted or not.

Changing Proxy Password

If a proxy server has password-based authentication, its credentials are stored in the proxy.user and proxy.pass fields. The proxy password is encrypted. To indicate the encryption, the proxy.pass.isencrypted is set to true. You can set proxy.pass.isencrypted= false if you want to change the proxy password.

1. Navigate to Settings > Collectors.
2. Under the Collectors tab, select the collector you want to configure.  
3. Select the More option and then select Collector Configuration.
   
   On the Collector Configuration page, settings under the Agent Config tab are displayed.
4. Scroll to locate the SSL and Proxy settings.
5. Enter a new password in plain text in the proxy.pass field.
6. Set the proxy.pass.isencrypted value to false.
   
7. Select Save and Restart.
   After the restart, observe that the password is encrypted and the proxy.pass.isencrypted field is set to true.

Troubleshooting Collector Proxy Configuration

We have highlighted some common issues experienced (and how to resolve them) when configuring collectors to be used with HTTP proxies.

Issue: Proxy Authentication Required

When the collector is configured to use a proxy that requires basic authentication, the collector may throw the following exception:

[MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:461] Unexpected status encountered from server. Will retry., CONTEXT=retry=30s, statusCode= 500, errMsg=Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

In this case, you will want to add the following configuration to the collector’s wrapper.conf:

wrapper.java.additional.16=-Djdk.http.auth.tunneling.disabledSchemes=

Issue: Invalid SSL Certificate

If a collector does not get a valid SSL certificate issued directly from LogicMonitor, it will fail to properly start. In the below example, all SSL certificates in the client environment were being intercepted and reissued using special security software (example, Blue Coat Proxy).

[03-26 15:53:03.222 EDT] [MSG] [INFO] [statusmonitor:::] [StatusListener$1.run:106] Receive peer request, CONTEXT=command=keepalive, charset=windows-1252, peer=/***.***.***.***:******
[03-26 15:53:03.268 EDT] [MSG] [WARN] [statusmonitor::scheduler:] [PropertyFilePersistentHandler._load:94] task file not found, CONTEXT=filename=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf, EXCEPTION=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
java.io.FileNotFoundException: C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.santaba.common.util.scheduler.impl.PropertyFilePersistentHandler._load(PropertyFilePersistentHandler.java:88)
at com.santaba.common.util.scheduler.impl.PropertyFilePersistentHandler.<init>(PropertyFilePersistentHandler.java:30)
at com.santaba.common.util.scheduler.Schedulers.newPersistentScheduler(Schedulers.java:17)
at com.santaba.agent.collector3.CollectorDb._newScheduler(CollectorDb.java:172)
at com.santaba.agent.collector3.CollectorDb.<init>(CollectorDb.java:68)
at com.santaba.agent.collector3.CollectorDb.<clinit>(CollectorDb.java:65)
at com.santaba.agent.agentmonitor.StatusListener._getAgentStatusResponse(StatusListener.java:279)
at com.santaba.agent.agentmonitor.StatusListener$1.run(StatusListener.java:117) /
[03-26 15:53:03.947 EDT] [INFO] [1] [default] [controller] [Controller2._initHttpService:469] Agent starting with ID - 00baae57-3971-4239-9610-b512aae9c21csbagent
[03-26 15:53:04.232 EDT] [MSG] [INFO] [main::controller:main] [SSLUtilities.checkCertificates:160] Invalid or wrong SSL Certificates found, CONTEXT=info=Found total 2 certificates:
Subject: CN=*.logicmonitor.com, OU=Domain Control Validated
Issuer: CN=SSLInterception87
Type: X.509
SHA1: 9a:a6:ff:33:85:cc:13:4c:3a:13:11:77:5c:ef:5e:a7:74:65:6b:de
MD5: 61:35:08:b5:ec:71:a2:ae:05:c4:7f:54:f1:aa:6f:ad
Valid from: 2017-04-19 10:02:01 -0400
Valid to: 2020-06-18 17:33:09 -0400Subject: CN=SSLInterception3
Issuer: CN=BillyBob's-CA, DC=slhn, DC=org
Type: X.509
SHA1: 6b:a8:1f:61:7b:5d:f0:e4:ee:7e:6a:1b:bb:18:de:67:be:5c:44:1d
MD5: d0:fc:64:da:6f:9b:1f:8d:1a:52:64:dc:41:da:e7:1c
Valid from: 2017-08-09 15:08:18 -0400
Valid to: 2021-10-03 08:53:12 -0400 */
[03-26 15:53:04.232 EDT] [MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:322] SANTABA SERVER ceriticates not trusted, CONTEXT=Host=generic-customer.logicmonitor.com, port=443

Solution A (Preferred)

Have the local administrator add the SSL certificate to your allow list so that it comes into the network unmodified by a proxy/firewall. This is the preferred option because it preserves security.

Solution B

Change the collector configuration setting from:

EnforceLogicMonitorSSL=true

to:

EnforceLogicMonitorSSL=false

Removing SSL enforcement lowers the security of the connection between your collector and LogicMonitor and, for this reason, should be carefully considered before implementing.