Table of contents

Automate offline computer removal with inactive agent cleanup

If your Workload Security deployment has a large number of offline computers not communicating with Workload Security, first try using a connector (see About adding AWS accounts, Add a Microsoft Azure account to Workload Security, or Add a Google Cloud Platform account). When you use a connector, the complete life cycle of your computers is managed automatically, meaning that computers deleted from your cloud accounts are also automatically removed from Workload Security. If you can't use a connector in your environment, you can automate the removal of inactive computers using inactive agent cleanup. Inactive agent cleanup will check hourly for computers that have been offline and inactive for a specified period of time (from 2 weeks to 12 months) and remove them.

Inactive agent cleanup removes a maximum of 1000 offline computers at each hourly check. If there are more offline computers than this, 1000 are removed at each consecutive check until all of the offline computers have been removed.

After enabling inactive agent cleanup, you may also do the following:

Note that inactive agent cleanup does not remove offline computers that have been added by a cloud connector.

Enable inactive agent cleanup

  1. Go to the Administration page.
  2. Under System Settings > Agents > Inactive Agent Cleanup, select Delete Agents that have been inactive for.
  3. From the list, select the period that a computer must be inactive before being removed.
  4. Ensure that active offline computers can reconnect to Workload Security (optional but recommended).
  5. Click Save.

Keep offline computers protected

If you have offline computers that are active but communicate irregularly with Workload Security, inactive agent cleanup removes them if they do not communicate within the specified period of inactivity. To ensure that these computers reconnect to Workload Security, you can enable both Agent-Initiated Activation and Reactivate unknown Agents. To do so, under System Settings > Agents > Agent Initiated Activation, first select Allow Agent-Initiated Activation and then select Reactivate Unknown Agents.

When a removed computer reconnects, it does not have a policy and therefore it is added as a new computer. Any direct links to the computer are removed from the Workload Security event data.

You can automatically assign a policy assigned to a computer upon agent-initiated activation with an event-based task.

Prevent computers from being removed

You can set an override at the computer or policy level to explicitly prevent computers from being removed by inactive agent cleanup.

You set an override as follows:

  1. Open the Computer or Policy editor for the computer or policy on which you want to set an override.
  2. Go to Settings > General.
  3. Under Inactive Agent Cleanup Override, select Yes.
  4. Click Save.

Check the audit trail for removed computers

When an inactive agent cleanup job runs, system events are generated that you can use to track removed computers.

Check the following system events:

Search system events

To view the system events generated by an inactive agent cleanup job, create a search that filters for them:

  1. Go to the Events and Reports page.
  2. In the top-right corner, click the Search field and select Open Advanced Search.
    Advanced search
  3. For the Period, select Custom Range.
  4. For From, enter the date and time just before the inactive agent cleanup job was first run. For To, enter the date and time just after the cleanup job finished.
  5. For the Search, select Event ID and In, and then enter 2953, 251. You can optionally enter 716 and any of the event IDs (130, 790, 350, 250) associated with computer reactivation.

This displays all the system events generated by an inactive agent cleanup job. You can sort the events by time, event ID or event name by clicking on the corresponding column. You can then double-click an event to get more information about it.

System event details

2953 - Inactive Agent Cleanup Completed Successfully

This event is generated when the inactive agent cleanup job runs and successfully removes computers. The description for this event tells you how many computers were removed.

If more than one check is needed to remove all computers, a separate system event is generated for each check.

251 - Computer Deleted

In addition to the Inactive Agent Cleanup Completed Successfully event, a separate Computer Deleted event is generated for each computer that was removed.

716 - Reactivation Attempted by Unknown Agent

If Reactivate Unknown Agents is enabled, this event is generated for an activated computer that was removed when it attempts to reconnect to Workload Security. Each reactivated computer also generates the following system events:

  • 130 - Credentials Generated
  • 790 - Agent-Initiated Activation Requested
  • 350 - Policy Created (if you enabled an event-based task that assigns a policy)
  • 250 - Computer Created or 252 - Computer Updated