Troubleshoot Cyware Agent Errors
This section is useful after a Cyware Agent installation to help analysts troubleshoot the related errors.
Ensure that the Docker service is running on the instance. Run the following command to check its status:
sudo systemctl status docker
If the Docker service is not running, use the following command to start the Docker service.
sudo systemctl enable docker sudo systemctl start docker
If you encounter any permission-related errors while accessing Docker containers, then run the following command, which will grant :
sudo chmod 777 /var/run/docker.sock
You can use the commands provided in this section to verify the permissions for the Cyware Agent mount directory. The permissions are required for users to create new agents and upgrade agents in a specific mount directory.
Check the User ID of the Agent Mount Directory
The user ID (UID) associated with the Cyware Agent mount directory must match with the PUID value used during agent installation to allow the agent to make changes to the directory. To check the user ID of the agent mount directory, use the following command. Replace <path_to_agent_mount_directory> with the actual directory path.
stat -c '%u' <path_to_agent_mount_directory>
For example, stat -c '%u' /apps/cyware/new/prod_agent
If the user ID is configured correctly, the command returns the same UID specified during installation, indicating that the Cyware Agent has the required permissions for the mount directory.
Check the Group ID of the Agent Mount Directory
The group ID (GID) associated with the Cyware Agent mount directory must match with the PGID value used during agent installation. To check the group ID of the agent mount directory, use the following command. Replace <path_to_agent_mount_directory> with the actual directory path.
stat -c '%g' <path_to_agent_mount_directory>
For example, stat -c '%g' /apps/cyware/new/prod_agent
If the group ID is configured correctly, the command returns the same GID specified during installation, indicating that the Cyware Agent has the required permissions for the mount directory.
Provide Permissions for Specific Mount Directory
To update permissions for the Cyware Agent mount directory, run the following command in your Cyware Agent directory. Replace <path_to_agent_mount_directory> with the actual directory path.
chown -R <PUID:PGID> <path_to_agent_mount_directory>
For example, chown -R 1000:1000 /apps/cyware/new/prod_agent
You can verify if the Cyware Agent instance can connect to Orchestrate by checking the logs in the /apps/logs folder $MOUNT_DIRECTORY. For example, /apps/cyware/cyware_agent/apps/logs/application.log and /apps/cyware/cyware_agent/apps/logs/error.log.
The $MOUNT_DIRECTORY can be different for every event installation. In the above example, MOUNT_DIRECTORY=/apps/cyware/cyware_agent
Steps to verify the connection
To verify connectivity between the Cyware Agent and Orchestrate, follow these steps.
Run
tail -f $MOUNT_DIRECTORY/apps/logs/application.logto check the application logs.You will see a response as shown below.
2024-02-29 14:00:57,321 INFO TR-ID: MSG: Validating and Checking connectivity with https://cy.example.com/soarapi/openapi/ TRACEBACK: 2024-02-29 14:00:57,321 [INFO] app_log: Validating and Checking connectivity with https://cy.example.com/soarapi/openapi/ 2024-02-29 14:00:57,365 [DEBUG] urllib3.connectionpool: Starting new HTTPS connection (1): cy.cyware.com:443 2024-02-29 14:00:58,382 [DEBUG] urllib3.connectionpool: https://cy.cyware.com:443 "GET /soarapi/openapi/v1/test_connectivity/ 2024-02-29 14:00:58,411 INFO TR-ID: MSG: Api https://cy.cyware.com/soarapi/openapi/v1/test_connectivity/ GET - status_code: 200 TRACEBACK: 2024-02-29 14:00:58,411 [INFO] app_log: Api https://cy.cyware.com/soarapi/openapi/v1/test_connectivity/ GET - status_code: 200 2024-02-29 14:00:58,417 INFO TR-ID: MSG: Connection established! TRACEBACK: 2024-02-29 14:00:58,417 [INFO] app_log: Connection established!
You can look for
Connection EstablishedorPUT - status_code: 200to confirm the connectivity.Connection established! OR (ignore [...] below.. you want to look at the end of the line) app_log: Api https://[...]/orchestrate/abxd234-c4d5-4a3f-bb77-akdhbfiweb/ PUT - status_code: 200
The following are the common errors that analysts can encounter with Cyware Agent and their corresponding troubleshooting steps. These common errors can be found in the application.log or error.log files. For more information on the default location of application.log and error.log files, see Default Directories.
Connection Error or Timeout Error
These errors denote the connectivity issue of Cyware Agent with Orchestrate instance or the apps that are hosted on-premise.
To validate these errors on the Orchestrate platform:
Navigate to Admin Panel > Cyware Agent.
Select a required Cyware Agent and check the Polling Frequency.
Check for Cyware Agent failure email notifications. Only users configured in Notification Management > Agent Connection Error receive these notifications.
Example Cause:
Incorrect configuration of proxy settings in the .env file
The open API to access the Orchestrate instance has expired.
Resolution:
Configure the proxy settings in the .env file. The default location of the .env file is /path/to/mount_directory/conf/.env.
Update the expiry date of the Open API used to access the Orchestrate instance. To update the expiry date of Open API, see Troubleshoot Cyware Agent Errors on Playbook.
Not able to import packages for appname_ appversion (Example: virus_total_1_0_0)
This error occurs when Cyware Agent is unable to connect to Cyware's PyPI repository (https://packages.cyware.com/repository/pypi-group/simple/) that hosts all the required Python modules.
Cause:
Incorrect value of PIP_PACKAGE_DOWNLOAD_PATH in the .env file.
Connectivity failure to access the value of PIP_PACKAGE_DOWNLOAD_PATH in the .env file.
Resolution:
Execute the following command that validates the connectivity of Cyware Agent with the value of PIP_PACKAGE_DOWNLOAD_PATH defined in the .env file.
curl <PIP_PACKAGE_DOWNLOAD_PATH>
Note
The default value of PIP_PACKAGE_DOWNLOAD_PATH is https://packages.cyware.com/repository/pypi-group/simple/.
This section describes the troubleshooting commands that analysts can use to troubleshoot Cyware Agent-related issues.
To verify that the Cyware Agent is running, execute the following command. The output displays a list of active Docker containers. Ensure the Cyware Agent container appears in the output.
docker ps
To manually poll the Cyware Agent for troubleshooting, execute the following command:
docker exec -it cyware_agent python /app/cyware_agent/lite_agent.py
If a Cyware Agent–compatible playbook node encounters an agent-specific error, the playbook execution also fails. These errors may occur due to incorrect node configurations or network connectivity issues during playbook creation or runtime. It is important to analyze and fix these errors.
Cyware Agent-related errors can occur in two situations:
Test Instance Connectivity: Errors encountered while configuring an instance and testing its connectivity in a playbook node that is compatible with Cyware Agent
Playbook execution: View errors related to Cyware Agent during playbook execution in Run Logs.
Before you Start
Ensure that you have permission to View Cyware Agent Configuration, Create/Update Cyware Agent Configuration, View Cyware Agent Tasks, Create/Update Cyware Agent Tasks, and View Run Logs. For more information about the required permissions to view Cyware Agent and run logs, contact your Administrator.