topic Re: Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that? in Cortex XDR Discussions

Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

RFeyertag — Mon, 11 Dec 2023 19:59:45 GMT

Hello dear community,

today I ran into some issues with the version mentioned above. I know it got hotfixed, but when you cannot install an upgrade and cannot uninstall the agent, I get challanged 🙂

You need to uninstall it directly after restart, when the service works. The service gives up some minutes after restart.

In my scenario the agent 8.2.0.46438 had to be restarted, because the cortex service stuck with status "stopping". A shutdown didn't work. Only a restart fixed the other agents which were "disconnected". However, I need a practical solution for monitoring this, when the cortex service is in a state where the agent is deactivated.

In my agent log I can find 26.000 XDR service cyserver was stopped on entries. I think they are also written, when the computer is shut down.

What kind of monitoring (there are also agents which are not inhouse) would you use in my case?

Rob

Re: Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

RFeyertag — Mon, 11 Dec 2023 22:34:20 GMT

So one step closer to the edge.

On some servers I am not able to uninstall the agent. It fails, because the cortex xdr agent service wants to be stopped, but it hangs in the stopping status.

Anyone facing this problems too?

Rob

Re: Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

Antanas_Kopas — Wed, 13 Dec 2023 12:45:42 GMT

Hi.Same version, exactly same problems.

Re: Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

RFeyertag — Thu, 14 Dec 2023 17:14:28 GMT

If you don't control the connected or disconnected status, you maybe get troubles.

This little guys helped us:

XQL for checking the disconnected status in list format:

config case_sensitive = false
|dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_hours = timestamp_diff(ct, last_seen, "HOUR")
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_hours >0
| fields endpoint_name, domain , ip_address , mac_address ,last_seen, diff_in_hours, diff_in_days
| sort desc diff_in_hours

Ping with exported list from the result (Hostnames) above.

$complist = Get-Content "C:\temp\ip.txt"

foreach($comp in $complist){

$pingtest = Test-Connection -ComputerName $comp -Quiet -Count 1 -ErrorAction SilentlyContinue

if($pingtest){

Write-Host($comp + " is online")
}
else{
Write-Host($comp + " is not reachable")
}

}

I bet there is a possibility to do this automaticly through api etc.

Rob