The cron job can only be configured to run the Agent on preconfigured time-interval. It does not allow the agent to start a new run as soon as it finishes the previous task. This KB shows how to run the SIEM agent consecutively using a Linux Daemon service.

1. Copy the SIEM agent job from crontab, if there is no job configured, please test the SIEM agent job using the tech doc Run the agent manually.
2. Go to the system folder cd /etc/systemd/system
3. Create a new black service for SIEM agent (for example casbsiemagent.service)
4. copy the following script to the file using vi. casbsiemagent.service

[Unit]

Description=Controls CloudSOC SIEM agent

[Service]

# Command to execute when the service is started
ExecStart=/usr/bin/python3 /opt/splunk_agent/splunk_agent.py [--proxy host_and_port] [-u username -p password] [--severity severity ...] [--app app ...] [--object_type object_type ...] [--activity_type activity_type ...] [--elastica_app elastica_app ...] [-c] [-r] [-v] [-d] [--rate] [-o/--output] [--start_date start_date] [-s/--stream stream] [-t/--target socket] [--socket_type udp_or_tcp] [-f/--filename filename] [--max_bytes maximum_bytes] [--backup_count backup_count]

Restart=always
                   
[Install]

WantedBy=default.target

1. then save and check the service using the following command
   1. systemctl list-unit-files | grep -i siem
2. start the service 
   1. systemctl start casbsiemagent.service
3. enable this service on boot
   1. systemctl enable casbsiemagent.service
4. you can check the agent status
   1. systemctl status casbsiemagent