Closed bufanda closed 5 months ago
@bufanda - --message-log
was removed from the sensor starting on version 7.11. We have to keep it around due to supporting older versions. There will also be some additional parameters that will be added that have since been added with 7.11+.
I would do something like this:
falcon_message_log: "{{ 'true' if (< RHEL 8 or some condition you define >) else None }}"
Another option would be to use group vars. Define a group for your 7.11+ hosts and a group for < 7.11 (however you want to to do this). Then you only need to define falcon_message_log: 'true'
for the <7.11 group.
I have tried to set falcon_message_log: "{{ None}}"
but it just failed with
ERROR: /opt/CrowdStrike/falconctl: unrecognized option '--message-log='
just missing the True
. After setting falcon_message_log:
without anything it worked and the task fell on the omit of the option to not add it.
Right.. this is not how you set none:
falcon_message_log: "{{ None}}"
The role already defines the variable as empty which will translate as None. So your second method is correct, outside of the fact that it's already defined so you really don't even have to provide it if you are not going to use the option.
message_log: "{{ falcon_message_log if (falcon_message_log != None) else omit }}"
As I'm remembering now - there was some oddity in the way Ansible was handling None or empty vars. The above conditional was accounting for either you weren't specifying an option, or you were. I don't think we tested trying to set it explicitly to None the way you have it.
Right.. this is not how you set none:
falcon_message_log: "{{ None}}"
The role already defines the variable as empty which will translate as None. So your second method is correct, outside of the fact that it's already defined so you really don't even have to provide it if you are not going to use the option.
Thing is we defined it in all
and I wasn't up to change the structure of our inventory atm for the one host we install the 7.11 version. But I will take it in consideration in going forward with upgrading falcon on our infrastructure. Thanks for your help.
No worries - unfortunately there is no real clean way to handle this on our side and eventually it would become irrelevant once < 7.11 is no longer supported. Appreciate you opening up the issue. I'm going to leave it open for a while since I have a feeling more users will run into the same issue.
When using version 4.2.2 of the collection and trying to install an configure falcon 7.11.0-16405 on RHEL9 the ansible run stops with the error message
also setting
falcon_message_log: "{{ None }}"
explicity for RHEL9 systems doesn't work. We running also some RHEL8 Systems but with falcon 6.34 instead of 7.11 and running the same playbook works on the RHEL 8 combination.