12-11-2023 11:59 AM
Hello dear community,
today I ran into some issues with the version mentioned above. I know it got hotfixed, but when you cannot install an upgrade and cannot uninstall the agent, I get challanged 🙂
You need to uninstall it directly after restart, when the service works. The service gives up some minutes after restart.
In my scenario the agent 8.2.0.46438 had to be restarted, because the cortex service stuck with status "stopping". A shutdown didn't work. Only a restart fixed the other agents which were "disconnected". However, I need a practical solution for monitoring this, when the cortex service is in a state where the agent is deactivated.
In my agent log I can find 26.000 XDR service cyserver was stopped on entries. I think they are also written, when the computer is shut down.
What kind of monitoring (there are also agents which are not inhouse) would you use in my case?
BR
Rob
12-11-2023 02:34 PM
So one step closer to the edge.
On some servers I am not able to uninstall the agent. It fails, because the cortex xdr agent service wants to be stopped, but it hangs in the stopping status.
Anyone facing this problems too?
BR
Rob
12-13-2023 04:45 AM
Hi.Same version, exactly same problems.
12-14-2023 09:14 AM
If you don't control the connected or disconnected status, you maybe get troubles.
This little guys helped us:
XQL for checking the disconnected status in list format:
config case_sensitive = false
|dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_hours = timestamp_diff(ct, last_seen, "HOUR")
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_hours >0
| fields endpoint_name, domain , ip_address , mac_address ,last_seen, diff_in_hours, diff_in_days
| sort desc diff_in_hours
Ping with exported list from the result (Hostnames) above.
$complist = Get-Content "C:\temp\ip.txt"
foreach($comp in $complist){
$pingtest = Test-Connection -ComputerName $comp -Quiet -Count 1 -ErrorAction SilentlyContinue
if($pingtest){
Write-Host($comp + " is online")
}
else{
Write-Host($comp + " is not reachable")
}
}
I bet there is a possibility to do this automaticly through api etc.
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
