thetanz / csfalcon Goto Github PK

Troubleshooting

Windows:

Get AID From Powershell powershell.exe -command "[System.BitConverter]::ToString( ((Get-ItemProperty 'HKLM:\SYSTEM\CrowdStrike{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}{16e0423f-7058-48c9-a204-725362b67639}\Default' -Name AG).AG)).ToLower() -replace '-',''"

Verify that the Sensor is Running sc.exe query csagent

Ensure we are able to resolve the DNS addresses the sensors require to communicate Test-NetConnection -ComputerName ts01-b.cloudsink.net -DiagnoseRouting Test-NetConnection -ComputerName lfodown01-b.cloudsink.net -DiagnoseRouting

Ensure the traffic is allowed outbound and we don’t get headers from a firewall/proxy curl -v https://ts01-b.cloudsink.net

When running the curl command on the above, we would expect to see the below in the output HTTP/1.1 200 OK Content-Length: 509 Content-Type: text/plain; charset=utf-8 Date: Mon, 24 Jun 2019 06:26:39 GMT

Hi tester "/" Method: GET Protocol: HTTP/1.1 Host: ts01-b.cloudsink.net

Check for active connections to Falcon Cloud netstat -f

The following output is displayed if the sensor can connect to the CrowdStrike cloud: Active Connections Proto Local Address State Foreign Address TCP 192.0.2.130:49790 ec2-54-219-145-181.us-west-1.compute.amazonaws.com:https ESTABLISHED

In this example, ec2-54-219-145-181 indicates a connection to a specific IP address in the CrowdStrike cloud, 54.219.145.181.

macOS: Verify that the Sensor is Running

sysctl cs

The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more.

Verify that Sensor Components Were Installed Run to see a list of the kernel extensions installed with the CrowdStrike sensor

kextstat | grep crowd

The output shows two kernel extensions, com.crowdstrike.platform and com.crowdstrike.sensor:

189 1 0xffffff7f8345b000 0x5000 0x5000 com.crowdstrike.platform (1.1) 450E6B1A-46C4-3B88-BEC4-147139B71E2C <7 5 4 3 2 1> 190 0 0xffffff7f8351e000 0xef000 0xef000 com.crowdstrike.sensor (53.03) F356DB5C-4044-3DD9-810E-0620678E4A20 <189 43 7 5 4 3 2 1>

Verify that the Sensor is Connected to the Cloud

sudo /Library/CS/falconctl stats

In the output, look for the Cloud Info section:

Cloud Info IP: ts01-b.cloudsink.net Port: 443 State: connected Cloud Activity Attempts: 1 Connects: 1

Logs The Falcon sensor disables logging by default. When enabled, logs are stored at /var/log/system.log and contain the string CrowdStrike. Logs are kept according to the host's log rotation settings. Enable Logging

sysctl cs.feature=3

Disable Logging

sysctl cs.feature=0

Expected Output

A normal startup log includes messages similar to these: The sensor is starting. The sensor is locating and initializing the config. The sensor is checking communications (whether to use proxy or not and on which host/port). The sensor is connecting and setting up SSL. The sensor connected and is sending its first message to CrowdStrike cloud. The sensor received a response from cloud. All startup tasks are complete.

LINUX

Verify that the Sensor is Running

ps -e | grep -e falcon-sensor

Check kernel modules to verify the Falcon sensor's kernel modules are running

lsmod | grep falcon

Check the Falcon sensor's configurable options

sudo /opt/CrowdStrike/falconctl -g Optional parameters: --aid: the sensor's agent ID --cid: your Customer ID --apd: the sensor's proxy status (enabled or disabled) --aph: the sensor's proxy host --app: the sensor's proxy port

Verify the Sensor Files on Disk

sudo ls -al /opt/CrowdStrike /opt/CrowdStrike/falcon-sensor

This should be a symlink to either:

the original sensor installation at /opt/CrowdStrike/falcon-sensor a sensor update package with a release build number, such as /opt/CrowdStrike/falcon-sensor3000

Verify that the Sensor is Connected to the Cloud

sudo netstat -tapn | grep falcon

If the Falcon sensor is communicating with the cloud, you'll see something similar to

tcp 0 0 192.0.2.176:35382 ec2-54-148-96-12:443 ESTABLISHED 3228/falcon-sensor

Logs

grep falcon /var/log/messages | tail -n 100