Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

L4 Transporter

Hello dear community, 

 

today I ran into some issues with the version mentioned above. I know it got hotfixed, but when you cannot install an upgrade and cannot uninstall the agent, I get challanged 🙂

You need to uninstall it directly after restart, when the service works. The service gives up some minutes after restart. 

 

In my scenario the agent  8.2.0.46438 had to be restarted, because the cortex service stuck with status "stopping". A shutdown didn't work. Only a restart fixed the other agents which were "disconnected". However, I need a practical solution for monitoring this, when the cortex service is in a state where the agent is deactivated. 

 

In my agent log I can find 26.000 XDR service cyserver was stopped on entries. I think they are also written, when the computer is shut down. 

 

What kind of monitoring (there are also agents which are not inhouse) would you use in my case? 

 

BR

 

Rob

 

 

3 REPLIES 3

L4 Transporter

So one step closer to the edge. 

On some servers I am not able to uninstall the agent. It fails, because the cortex xdr agent service wants to be stopped, but it hangs in the stopping status. 

Anyone facing this problems too?

 

BR

 

Rob

Hi.Same version, exactly same problems.

L4 Transporter

If you don't control the connected or disconnected status, you maybe get troubles. 

This little guys helped us:

XQL for checking the disconnected status in list format:

 

config case_sensitive = false
|dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_hours = timestamp_diff(ct, last_seen, "HOUR")
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_hours >0
| fields endpoint_name, domain , ip_address , mac_address ,last_seen, diff_in_hours, diff_in_days
| sort desc diff_in_hours

 

Ping with exported list from the result (Hostnames) above. 

$complist = Get-Content "C:\temp\ip.txt"

foreach($comp in $complist){

$pingtest = Test-Connection -ComputerName $comp -Quiet -Count 1 -ErrorAction SilentlyContinue

if($pingtest){

Write-Host($comp + " is online")
}
else{
Write-Host($comp + " is not reachable")
}

}

 

I bet there is a possibility to do this automaticly through api etc.

 

BR

 

Rob

  • 2636 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!