search

CrowdStrike / ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
https://galaxy.ansible.com/ui/repo/published/crowdstrike/falcon/
GNU General Public License v3.0
95 stars 57 forks source link

ERROR: /opt/CrowdStrike/falconctl: unrecognized option '--message-log=True' #476

Closed bufanda closed 5 months ago

bufanda commented 5 months ago

When using version 4.2.2 of the collection and trying to install an configure falcon 7.11.0-16405 on RHEL9 the ansible run stops with the error message

ERROR: /opt/CrowdStrike/falconctl: unrecognized option '--message-log=True'

also setting falcon_message_log: "{{ None }}" explicity for RHEL9 systems doesn't work. We running also some RHEL8 Systems but with falcon 6.34 instead of 7.11 and running the same playbook works on the RHEL 8 combination.

carlosmmatos commented 5 months ago

@bufanda - --message-log was removed from the sensor starting on version 7.11. We have to keep it around due to supporting older versions. There will also be some additional parameters that will be added that have since been added with 7.11+.

I would do something like this:

falcon_message_log: "{{ 'true' if (< RHEL 8 or some condition you define >) else None }}"

Another option would be to use group vars. Define a group for your 7.11+ hosts and a group for < 7.11 (however you want to to do this). Then you only need to define falcon_message_log: 'true' for the <7.11 group.

bufanda commented 5 months ago

I have tried to set falcon_message_log: "{{ None}}" but it just failed with 

ERROR: /opt/CrowdStrike/falconctl: unrecognized option '--message-log='

just missing the True. After setting falcon_message_log: without anything it worked and the task fell on the omit of the option to not add it.

carlosmmatos commented 5 months ago

Right.. this is not how you set none: falcon_message_log: "{{ None}}"

The role already defines the variable as empty which will translate as None. So your second method is correct, outside of the fact that it's already defined so you really don't even have to provide it if you are not going to use the option.

carlosmmatos commented 5 months ago

message_log: "{{ falcon_message_log if (falcon_message_log != None) else omit }}"

As I'm remembering now - there was some oddity in the way Ansible was handling None or empty vars. The above conditional was accounting for either you weren't specifying an option, or you were. I don't think we tested trying to set it explicitly to None the way you have it.

bufanda commented 5 months ago

Right.. this is not how you set none: falcon_message_log: "{{ None}}"

The role already defines the variable as empty which will translate as None. So your second method is correct, outside of the fact that it's already defined so you really don't even have to provide it if you are not going to use the option.

Thing is we defined it in all and I wasn't up to change the structure of our inventory atm for the one host we install the 7.11 version. But I will take it in consideration in going forward with upgrading falcon on our infrastructure. Thanks for your help.

carlosmmatos commented 5 months ago

No worries - unfortunately there is no real clean way to handle this on our side and eventually it would become irrelevant once < 7.11 is no longer supported. Appreciate you opening up the issue. I'm going to leave it open for a while since I have a feeling more users will run into the same issue.