This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

check cortex xdr agent status

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

check cortex xdr agent status

Go to solution
Seka
L1 Bithead

‎03-28-2022 05:17 AM

Hi everyone,

 

I have a doubt

how can I check the status of the cortex xdr service / agent in windows 10 ?

cause my client won't synchronize with server 

Thanks in advance.

 

greetings.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
eluis
L4 Transporter

‎03-29-2022 03:06 AM

Hi @Seka,

if with the command that @bbarmanroy provided you see that services are not running, please try the following in your non connected endpoint and as admin user: 

 

C:\Program Files\Palo Alto Networks\Traps\cytool.exe runtime start

 

That should start the services/xdr processes and if it doesn't, it will give you an error or some clue of what might be going on at your endpoint. 

If this command does not get your xdr services/processes up and running and/or if your agent is not able to do the checkin, please open a TAC support case and our TAC engineers will help you further.

You can also try to force the checkin (once your xdr processes are running) with cytool.exe checkin 

Make sure that your endpoint is not network-isolated so it can reach the tenant. That might be another issue  

KR,

Luis  

 

 

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
KanwarSingh01
L3 Networker

‎03-28-2022 04:57 PM - edited ‎03-28-2022 04:58 PM

Hi @Seka ,

 

If i guess your agents are not able to check-in to cloud console, I think you will have to use a 3rd party tool here. We use 3rd party tool to check on services of Cortex XDR if it is running or not.

 

Or probably you can use the below command and loop over your endpoint list:

wmic /node:"you-pc" service list brief | findstr cyserver

 

The above command wont be useful if the endpoints are not on domain and also where IP connectivity is limited.

Kind Regards
KS
0 Likes Likes

Go to solution
bbarmanroy
L5 Sessionator

‎03-29-2022 01:41 AM

Hi @Seka if your endpoint is not connected, run the following commands to identify if XDR is running.

cytool runtime query

bbarmanroy_0-1648542937051.png

 

  1. If this is a fresh installation, I'd recommend you to uninstall and reinstall the agent to see if it works, assuming this endpoint has the same network access levels as others in your tenant. 
  2. Otherwise, try using the command "cytool reconnect force <distribution ID>", where the ID can be obtained from the Agent Installations page (you can also create a new one).
  3. Does a reboot help?
  4. If the aforementioned steps fail, please raise a support ticket at support.paloaltonetworks.com. Please retrieve the TSF logs from the endpoint itself and upload it to the portal.
     
     

     

     


     

     

     

 

Ensure your endpoint agent has access to internet (host firewalls, perimeter firewalls, corporate proxies etc.). Check if this is an isolated incident with one endpoint/few endpoints or if it is happening with all endpoints in your estate. 

 

 

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-6/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

(1)

Go to solution
eluis
L4 Transporter

‎03-29-2022 03:06 AM

Hi @Seka,

if with the command that @bbarmanroy provided you see that services are not running, please try the following in your non connected endpoint and as admin user: 

 

C:\Program Files\Palo Alto Networks\Traps\cytool.exe runtime start

 

That should start the services/xdr processes and if it doesn't, it will give you an error or some clue of what might be going on at your endpoint. 

If this command does not get your xdr services/processes up and running and/or if your agent is not able to do the checkin, please open a TAC support case and our TAC engineers will help you further.

You can also try to force the checkin (once your xdr processes are running) with cytool.exe checkin 

Make sure that your endpoint is not network-isolated so it can reach the tenant. That might be another issue  

KR,

Luis  

 

 

0 Likes Likes

Go to solution
Seka
L1 Bithead
In response to bbarmanroy

‎03-30-2022 08:21 AM

thank you for your reply , i will try it and get you back

0 Likes Likes

Go to solution
Seka
L1 Bithead
In response to eluis

‎03-30-2022 08:26 AM

hi ,thank you for you reply , please see in attachment the screenshot on cytool runtime query command

Preview file
95 KB
0 Likes Likes

Go to solution
eluis
L4 Transporter
In response to Seka

‎03-30-2022 09:02 AM

Hi @Seka 

please check that the following existsC:\Windows\System32\drivers\telam.sys

If it doesnt exist open a TAC support ticket

If it exists, type 

 C:\Program Files\Palo Alto Networks\Traps>sc config telam start= boot

C:\Program Files\Palo Alto Networks\Traps>cytool runtime start

check that everything is runing with cytool runtime query 

If not running reboot and check again with cytool if the telam is running (as well as the other processes). For the sc config command you will need the supervisor pass (the same as the uninstall pass) 

If it doesnt work please open a TAC support ticket. 

 

Please let me know if this happened after trying to upgrade and having it failed ? 

 

KR, 

Luis

Go to solution
jgupta
L0 Member

‎06-05-2024 10:50 AM

To check service status:  sc query cyserver

To start the service: sc start  cyserver

check the event viewer logs :  eventvwr.msc

Check the XDR agent logs:     C:\Program Files\Palo Alto Networks\Traps\logs

 

Find more detail for further troubleshooting:  Use Cortex XDR Agent for Windows • Cortex XDR Agent Administrator Guide • Reader • Palo Alto Network...                         

0 Likes Likes
  • 1 accepted solution
  • 13719 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks