/var/run/falcond.pid not found

Hello,

I'm trying to install the falcon sensor into amzn2 ec2 as follows... but for some reason /var/run/falcond.pid doesnt exist when i try to initialize falcond. Anyone knows why it works on some ec2 and not this one...?

$> sudo su
$> yum install -y /tmp/falcon-sensor.amzn2.x86_64.rpm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Examining /tmp/falcon-sensor.amzn2.x86_64.rpm: falcon-sensor-7.16.0-16903.amzn2.x86_64
Marking /tmp/falcon-sensor.amzn2.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package falcon-sensor.x86_64 0:7.16.0-16903.amzn2 will be installed
--> Finished Dependency Resolution
https://rpm.releases.hashicorp.com/RHEL/2/x86_64/stable/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.

Dependencies Resolved

=====================================================================================================================================================================
 Package                             Arch                         Version                                    Repository                                         Size
=====================================================================================================================================================================
Installing:
 falcon-sensor                       x86_64                       7.16.0-16903.amzn2                         /falcon-sensor.amzn2.x86_64                        80 M

Transaction Summary
=====================================================================================================================================================================
Install  1 Package

Total size: 80 M
Installed size: 80 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : falcon-sensor-7.16.0-16903.amzn2.x86_64                                                                                                           1/1
Created symlink from /etc/systemd/system/multi-user.target.wants/falcon-sensor.service to /usr/lib/systemd/system/falcon-sensor.service.
  Verifying  : falcon-sensor-7.16.0-16903.amzn2.x86_64                                                                                                           1/1

Installed:
  falcon-sensor.x86_64 0:7.16.0-16903.amzn2

Complete!

====================================================================

$> /opt/CrowdStrike/falconctl -f -s --cid=1234567890
$> systemctl restart falcon-sensor.service
$> tail -f /var/log/message

Jun 28 18:11:48 foo.bar.com systemd[1]: Starting CrowdStrike Falcon Sensor...
Jun 28 18:11:48 foo.bar.com falconctl[21484]: cid="1234567890".
Jun 28 18:11:48 foo.bar.com falcond[21488]: starting
Jun 28 18:11:48 foo.bar.com systemd[1]: Can't open PID file /var/run/falcond.pid (yet?) after start: No such file or directory
Jun 28 18:11:48 foo.bar.com falcond[21489]: Running /opt/CrowdStrike/falcon-sensor
Jun 28 18:11:48 foo.bar.com falcon-sensor[21489]: No traceLevel set via falconctl defaulting to none
Jun 28 18:11:48 foo.bar.com falcon-sensor[21489]: LogLevelUpdate: none = trace level 0.
Jun 28 18:11:48 foo.bar.com falcond[21488]: falcon-sensor[21489] exited with status 1
...
Jun 28 18:11:48 foo.bar.com systemd[1]: falcon-sensor.service: main process exited, code=exited, status=1/FAILURE
Jun 28 18:11:48 foo.bar.com systemd[1]: Unit falcon-sensor.service entered failed state.
Jun 28 18:11:48 foo.bar.com systemd[1]: falcon-sensor.service failed.

EC2 uname = uname -a Linux foo.bar.com 5.10.186-179.751.amzn2.x86_64 #1 SMP Tue Aug 1 20:51:38 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Relates to https://stackoverflow.com/q/54497125

CrowdStrike / falcon-scripts

/var/run/falcond.pid not found #332