topic Re: check cortex xdr agent status in Cortex XDR Discussions

check cortex xdr agent status

Seka — Mon, 28 Mar 2022 12:17:03 GMT

Hi everyone,

I have a doubt

how can I check the status of the cortex xdr service / agent in windows 10 ?

cause my client won't synchronize with server

Thanks in advance.

greetings.

Re: check cortex xdr agent status

KanwarSingh01 — Mon, 28 Mar 2022 23:58:08 GMT

Hi @Seka ,

If i guess your agents are not able to check-in to cloud console, I think you will have to use a 3rd party tool here. We use 3rd party tool to check on services of Cortex XDR if it is running or not.

Or probably you can use the below command and loop over your endpoint list:

wmic /node:"you-pc" service list brief | findstr cyserver

The above command wont be useful if the endpoints are not on domain and also where IP connectivity is limited.

Re: check cortex xdr agent status

bbarmanroy — Tue, 29 Mar 2022 08:41:24 GMT

Hi @Seka if your endpoint is not connected, run the following commands to identify if XDR is running.

cytool runtime query

If this is a fresh installation, I'd recommend you to uninstall and reinstall the agent to see if it works, assuming this endpoint has the same network access levels as others in your tenant.
Otherwise, try using the command "cytool reconnect force <distribution ID>", where the ID can be obtained from the Agent Installations page (you can also create a new one).
Does a reboot help?
If the aforementioned steps fail, please raise a support ticket at support.paloaltonetworks.com. Please retrieve the TSF logs from the endpoint itself and upload it to the portal.

Ensure your endpoint agent has access to internet (host firewalls, perimeter firewalls, corporate proxies etc.). Check if this is an isolated incident with one endpoint/few endpoints or if it is happening with all endpoints in your estate.

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-6/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool.html

Re: check cortex xdr agent status

eluis — Tue, 29 Mar 2022 10:06:22 GMT

Hi @Seka,

if with the command that @bbarmanroy provided you see that services are not running, please try the following in your non connected endpoint and as admin user:

C:\Program Files\Palo Alto Networks\Traps\cytool.exe runtime start

That should start the services/xdr processes and if it doesn't, it will give you an error or some clue of what might be going on at your endpoint.

If this command does not get your xdr services/processes up and running and/or if your agent is not able to do the checkin, please open a TAC support case and our TAC engineers will help you further.

You can also try to force the checkin (once your xdr processes are running) with cytool.exe checkin

Make sure that your endpoint is not network-isolated so it can reach the tenant. That might be another issue

KR,

Luis

Re: check cortex xdr agent status

Seka — Wed, 30 Mar 2022 15:21:07 GMT

thank you for your reply , i will try it and get you back

Re: check cortex xdr agent status

Seka — Wed, 30 Mar 2022 15:26:12 GMT

hi ,thank you for you reply , please see in attachment the screenshot on cytool runtime query command

Re: check cortex xdr agent status

eluis — Wed, 30 Mar 2022 16:02:39 GMT

Hi @Seka

please check that the following existsC:\Windows\System32\drivers\telam.sys

If it doesnt exist open a TAC support ticket

If it exists, type

C:\Program Files\Palo Alto Networks\Traps>sc config telam start= boot

C:\Program Files\Palo Alto Networks\Traps>cytool runtime start

check that everything is runing with cytool runtime query

If not running reboot and check again with cytool if the telam is running (as well as the other processes). For the sc config command you will need the supervisor pass (the same as the uninstall pass)

If it doesnt work please open a TAC support ticket.

Please let me know if this happened after trying to upgrade and having it failed ?

KR,

Luis

Re: check cortex xdr agent status

jgupta — Wed, 05 Jun 2024 17:50:31 GMT

To check service status: sc query cyserver

To start the service: sc start cyserver

check the event viewer logs : eventvwr.msc

Check the XDR agent logs: C:\Program Files\Palo Alto Networks\Traps\logs

Find more detail for further troubleshooting: Use Cortex XDR Agent for Windows • Cortex XDR Agent Administrator Guide • Reader • Palo Alto Networks documentation portal