Operations
Day-to-day operational tasks for managing Aquilon DLP.
Service Management
Linux (systemd)
# Check status
sudo systemctl status aquilon-dlp
# Start/stop/restart
sudo systemctl start aquilon-dlp
sudo systemctl stop aquilon-dlp
sudo systemctl restart aquilon-dlp
# Enable/disable at boot
sudo systemctl enable aquilon-dlp
sudo systemctl disable aquilon-dlp
# View recent logs
sudo journalctl -u aquilon-dlp -n 100
sudo journalctl -u aquilon-dlp -f # Follow
macOS (launchd)
# Check status
sudo launchctl list | grep aquilon
# Load/unload (start/stop)
sudo launchctl load /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist
sudo launchctl unload /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist
# View logs
tail -f /var/log/aquilon-dlp/stderr.log
Configuration Reload
After configuration changes:
# Linux
sudo systemctl restart aquilon-dlp
# macOS
sudo launchctl unload /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist
sudo launchctl load /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist
Health Checks
Service Running
# Linux
systemctl is-active aquilon-dlp
# macOS
sudo launchctl list | grep -q "com.aquilonsecurity.dlp" && echo "Running" || echo "Stopped"
Recent Alerts
-- Alerts in last 24 hours
SELECT COUNT(*) as alerts_24h
FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 86400);
Alert Generation
-- Alerts in last hour
SELECT COUNT(*) as recent_alerts
FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 3600);
Log Management
Log Locations
- Linux (systemd):
journalctl -u aquilon-dlp - Linux (syslog):
/var/log/syslogor/var/log/messages - macOS:
/var/log/aquilon-dlp/*.log
Log Rotation (Linux)
Create /etc/logrotate.d/aquilon-dlp:
/var/log/aquilon-dlp/*.log {
daily
rotate 14
compress
delaycompress
missingok
notifempty
create 0640 root root
postrotate
systemctl reload aquilon-dlp 2>/dev/null || true
endscript
}
Log Levels
Adjust log verbosity via environment variable:
# Set in service environment (Linux)
# /etc/systemd/system/aquilon-dlp.service.d/override.conf
[Service]
Environment="RUST_LOG=aquilon_dlp=info" # debug, info, warn, error
Resource Monitoring
Disk Usage
# Database size
du -sh /var/lib/aquilon-dlp/aquilon_dlp.db
# Log directory
du -sh /var/log/aquilon-dlp/
Process Resources
# CPU and memory
ps aux | grep aquilon-dlp
# Detailed (Linux)
top -p $(pgrep aquilon-dlp)
OSQuery Metrics
-- Alert statistics by severity
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity;
-- Alerts by policy
SELECT policy, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY policy;
Database Maintenance
Vacuum
Reclaim space and optimize performance:
# Manual vacuum
sqlite3 /var/lib/aquilon-dlp/aquilon_dlp.db "VACUUM;"
# Check size before/after
ls -lh /var/lib/aquilon-dlp/aquilon_dlp.db
Integrity Check
sqlite3 /var/lib/aquilon-dlp/aquilon_dlp.db "PRAGMA integrity_check;"
# Expected: ok
Query Performance
Check for slow queries:
sqlite3 /var/lib/aquilon-dlp/aquilon_dlp.db "PRAGMA analysis_limit=1000; ANALYZE;"
Cache Management
Alert Statistics
-- Count alerts by severity
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity;
Target: Review and triage critical/high severity alerts promptly
Clear Cache
To force re-scanning (use cautiously):
# Stop service first
sudo systemctl stop aquilon-dlp
# Clear cache table
sqlite3 /var/lib/aquilon-dlp/aquilon_dlp.db "DELETE FROM scan_cache;"
# Restart
sudo systemctl start aquilon-dlp
Cache Configuration
Tune cache settings:
[cache]
enabled = true
ttl_secs = 86400 # Cache TTL in memory (24 hours)
scan_cache_ttl_days = 7 # Database cache TTL
Alert Statistics
Current Status
-- Alert overview by triage status
SELECT
triage_status,
COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY triage_status;
-- Alert by scanner type
SELECT
scanner,
COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY scanner
ORDER BY count DESC;
Alert Trend
-- Recent alert activity
SELECT
severity,
COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity
ORDER BY
CASE severity
WHEN 'critical' THEN 1
WHEN 'high' THEN 2
WHEN 'medium' THEN 3
ELSE 4
END;
Performance Tuning
Worker Configuration
Adjust based on CPU cores:
[work_queue]
max_queue_size = 10000 # Work queue size
submit_timeout_secs = 5 # Timeout for queue submissions
[worker]
num_workers = 4 # Match CPU cores
Reduce I/O Load
[scan]
max_scan_size_mb = 100 # Skip large files
[resource_limits]
enabled = true
nice_level = 10 # Lower CPU priority (0-19)
High-Churn Directory Handling
Exclude directories that change frequently:
exclude_paths = [
"/tmp/%%",
"/var/cache/%%",
"/home/*/.cache/%%"
]
Troubleshooting Operations
Service Won’t Start
-
Check configuration:
aquilon-dlp --validate-config /etc/aquilon-dlp/aquilon_dlp_config.toml -
Check logs for errors:
sudo journalctl -u aquilon-dlp -n 50 -
Check database lock:
lsof /var/lib/aquilon-dlp/aquilon_dlp.db
High CPU Usage
- Check scan rate in logs
- Add exclusions for high-churn directories
- Increase nice level
- Reduce worker count
High Memory Usage
- Reduce
max_entriesin cache config - Reduce
queue_sizein worker config - Restart service to clear memory
Database Corruption
- Stop service
- Run integrity check
- If failed, restore from backup (see Backup & Restore)