CrowdStrike / falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
GNU Affero General Public License v3.0
186 stars 54 forks source link

Falcon Orchestrator Client Service - Dying after startup #34

Closed cloudjumper2000 closed 7 years ago

cloudjumper2000 commented 7 years ago

My team noticed we were not receiving alerts via email. Found out the Falcon Orchestrator Client service terminated unexpectedly. Event ID: 7031

Looking in: C:\Program Files (x86)\Falcon Orchestrator\RunLog.txt We see several of these errors:

2017-06-02 10:51:22,331 FATAL FalconOrchestrator.Client.EventModel - [21145] Error occured while trying to save authentication activity audit event to database
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
   at System.DateTime.Add(Double value, Int32 scale)
   at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
   at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

Could you provide assistance with how to resolve this or what we can check next to provide more info?

Thanks! FJ

PS: Is slack not an option for support? Seems I need a crowdstrike email to create an account for https://falcon-orchestrator.slack.com/

mr-burnse commented 7 years ago

Hey FJ - You don't need a CS domain to join slack, just sign up through here https://falcon-orchestrator.herokuapp.com/. As for the issue being reported, please see below:

This issue just surfaced this week as the UTCTimestamp field on events of type AuthActivityAuditEvent is being pushed through the API with two types of unix epoch formatted timestamps...one with milliseconds and one without. Orchestrator is expecting a certain format and is crashing because of this. I will look to provide a bug fix for this early next week.

cloudjumper2000 commented 7 years ago

Thanks for the response and I was able to join slack. Please do let us know when a fix is available for the previously mentioned issue.

mr-burnse commented 7 years ago

Fix has been published here. Please follow implementation steps to apply it.

cloudjumper2000 commented 7 years ago

So we have replaced the EXE but receive this error when trying to start the service:

Service cannot be started. System.InvalidOperationException: No connection string named '**FalconOrchestratorDB**' could be found in the application config file.
   at System.Data.Entity.Internal.LazyInternalConnection.Initialize()
   at System.Data.Entity.Internal.LazyInternalConnection.get_Connection()
   at System.Data.Entity.Internal.LazyInternalContext.get_Connection()
   at FalconOrchestrator.DAL.DatabaseHelpers.TestConnection()
   at FalconOrchestrator.Client.FalconOrchestratorService.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

I do see this line in the web.config:

<connectionStrings>
    <add name="**FalconOrchestratorDB**" connectionString="metadata=res://*/FalconOrchestratorDB.csdl|res://*/FalconOrchestratorDB.ssdl|res://*/FalconOrchestratorDB.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=*********;initial catalog=FalconOrchestrator;user id=********;password=********;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient"/>
  </connectionStrings>

Any ideas?

mr-burnse commented 7 years ago

Web.config is only used by the web application. Can you check the connection string is there in the client service configuration file? This is located at C:\Program Files (x86)\Falcon Orchestrator\FalconOrchestrator.Client.exe.config.

cloudjumper2000 commented 7 years ago

The connection string is there in the above location as well. Any other ideas?

mr-burnse commented 7 years ago

Resolved as per discussion on Slack.