We’re releasing Linux Agent 4.0.7 today. Since our last public Linux update (4.0.2), we’ve shipped several focused improvements across enrollment, hardware reporting, security monitoring, and group synchronization based on user feedback. This post covers everything in 4.0.3 through 4.0.7 so you have one place to see what’s new.
Enrollment bug fix
We fixed a bug that could prevent new Linux installs from enrolling successfully.
Accurate installed RAM reporting
Linux computers now report physical installed RAM from DMI (via dmidecode) when available, rather than relying solely on kernel-visible memory from /proc/meminfo.
That matters on hosts where the kernel reports less than what’s actually installed—common with reserved memory, virtualization quirks, or certain hardware configurations. Dashboard RAM totals should now align more closely with what you’d see in asset inventory or on the box itself.
The agent falls back to /proc/meminfo when DMI data isn’t available. Package metadata declares dmidecode as a recommended dependency on .deb and .rpm builds.
Failed Logins monitoring restored on Linux
The Failed Logins plugin is again at parity with the legacy Python Linux agent – and we’ve followed up with stability fixes for real-world log sources.
What’s back:
- Incremental reads from
/var/log/auth.logor/var/log/secure, so repeated failed SSH attempts are reported once, not on every agent run journalctlfallback on systemd distros that don’t keep a traditional auth log file, including common SSH unit names (ssh.service,sshd.service, and related filters)- Legacy-style summaries in the dashboard, so existing alert thresholds and workflows continue to make sense
Additional Related Fixes:
- Correct handling when auth logs hit EOF or rotate mid-read
- ISO-8601 journal timestamps parsed reliably alongside classic syslog formats
- Cursor edge cases fixed so journal incremental reads don’t skip or duplicate events after truncation or source switches
- Auth source priority tuned so the agent picks the best available log consistently
If Failed Logins was quiet on your Linux fleet after moving to the Go agent, these releases are worth revisiting—especially on Ubuntu, Rocky, and other journal-first systems.
Group and asset settings stay in sync
The most significant behavioral fix in this batch is how the Linux agent keeps local settings aligned with the dashboard after each scheduled check-in.
When you change a computer’s group, asset ID, or reference email fields in the Watchman Monitoring dashboard, the server sends the updated values back to the agent on its next report. The agent saves those values locally so the computer keeps reporting under the group and contact details you set in the dashboard – matching how the legacy Python agent has always worked.
This closes a gap where Linux hosts could appear to “snap back” to an old group after a dashboard change, or fail to pick up a group assignment when you used Change Group in the dashboard.
We’re continuing to improve the Linux agent, so if you run into any issues or have feature requests, please let us know!
Ian, Garrett & Allen
