Closed dlkeeling closed 7 years ago
Have you started the client service? Anything revealing in the log file? https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#starting-the-service.
This error is in the log
2017-09-05 14:51:24,895 FATAL FalconOrchestrator.Client.EventModel - [0] Error occured while trying to save authentication activity audit event to database System.ArgumentOutOfRangeException: Value to add was out of range. Parameter name: value at System.DateTime.Add(Double value, Int32 scale) at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp() at FalconOrchestrator.Client.AuthActivityAuditModel.Save()
There's a patch that was released for this, try applying it and restarting the service. https://github.com/CrowdStrike/falcon-orchestrator/releases.
I have applied the patch but am still receiving the same error.
Try enabling debug logging and the API logging (steps here https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#troubleshooting-the-service). This will output the actual event Orchestrator is trying to process from the streaming API.
If you could then paste the event from the API log here (remove any sensitive information), I'll take a look. Also double check that you replaced the older FalconOrchestrator.Client.exe file with the one provided in the patch. You'll need to overwrite it, otherwise it would not be applied.
I enabled Debug, the error changed slghtly.
2017-09-06 08:34:41,900 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service 2017-09-06 08:34:45,150 FATAL FalconOrchestrator.Client.EventModel - [0] Error occured while trying to save authentication activity audit event to database System.ArgumentOutOfRangeException: Value to add was out of range. Parameter name: value at System.DateTime.Add(Double value, Int32 scale) at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp() at FalconOrchestrator.Client.AuthActivityAuditModel.Save()
The exe has resolved the issue. Thank you.
Glad to hear it! No problem. Closing this ticket out.
The Dashboard and notifications are blank. I have configured the UUID and Key but I do not see orcestrator even attempting to communicate with Crowdstrike. I know the UUID and Key work because our SIEM is actively using it. I see the SIEM communication in the firewall but nothing from Orchestrator.