ACC 'Grab agent log' fails with error 'check command denied by the agent allow list. Context: Using config allow list. Did not find exec entry' - Support and Troubleshooting

ACC 'Grab agent log' fails with error 'check command denied by the agent allow list. Context: Using config allow list. Did not find exec entry' Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } To troubleshoot this, from the UI action of the 'Grab agent log' UI... /sys_ui_action.do?sys_id=7d81d4dc67440010b7b72dbd2685ef59

... we can see that it invokes the 'grabAgentLog' function from the script include: /sys_script_include.do?sys_id=3625652a67080010b7b72dbd2685ef28

This function invokes the check_def with the sysid : '028fcd5067c80010b7b72dbd2685ef4f' which is the 'check-read-log' check definiton: /sn_agent_check_def.do?sys_id=028fcd5067c80010b7b72dbd2685ef4f

So, when you click on the grab agent log UI action, you are inturn invoking the check 'check-read-log'. This process behaves like any other check with ACC.

If this check is missing in the global check-allow-list.json file which is defined in the acc.yml file, the UI action will fail.

Many customers have attempted to fix this by following KB1585764, however that's just for additional checks used by Discovery Patterns, and won't fix this.

For the recent versions of ACC-F and ACC-V, we have the option to generate both allow-lists for pattern and checks. This feature provides the ability to generate the allow-list for certain specific checks and patterns or for all checks and patterns too. If customer needs both checks and patterns, they should generate the allow-lists separately and merge them together and append it to the existing allow-list.

It is to be noted that, customer should 'APPEND' the generated allow-list to the existing check-allow-list.json shipped with installation. Not replace with.

More details on using this feature is shared in below docs: Generate an Agent Client Collector allow list