NDR: Sensor Troubleshooting

Description

If a sensor is online but not receiving logs from expected device(s), follow the below steps for troubleshooting.

Verify that the sensor is online in the Data Processor (DP):
1. Browse to System > Collection > Sensors and click on the sensor in question.
2. Verify that it is online, and all services are running:
Ensure that the specific port for the firewall sending it’s logs is open to the sensor: NDR: Syslog Port Index.
Ensure the required ports are open and that the required URLs are not blocked in the firewall upstream of the virtual sensor: NDR: Virtual Sensor Requirements

Verifying that a sensor is receiving logs can be done by following the steps outlined in: NDR: Frequently Asked Questions (FAQs)
You can also log in directly to a sensor and run the following command to see real time logs coming into the sensor:
- !tcpdump -i eth0 port <syslog port> -A

The below sections details how to troubleshoot a sensor that is showing offline.

To troubleshoot virtual sensors, please verify the following:

Is the Sensor VM powered on?
Can the sensor get to the internet? To verify this:
1. SSH to or open the virtual console to the Sensor’s VM.
2. Login with the username aella and the password that you set when you deployed the sensor.
  1. run the command !ping http://google.com
  2. If you see replies, then the sensor has internet access.
  3. If you see failures, you will need to troubleshoot why the sensor/VM does not have internet access and resolve before continuing.
Is the SIEM DP reachable by the sensor? To verify this:
1. SSH to or open the virtual console to the Sensor’s VM.
2. Login with the username aella and the password that you set when you deployed the sensor.
3. Run the command show cm
4. If you see up or established, then the sensor is successfully connected to the SIEM DP.
5. If you see down, then the sensor is not able to communicate to the SIEM DP. Procedure to the next step to verify firewall ports.
Ensure the required ports are open and that the required URLs are not blocked in the firewall upstream of the virtual sensor: NDR: Virtual Sensor Requirements

If you would like us to take a look or confirm that the sensor is back online, please open a ticket by visiting the MSS Ticket Portal.
When asked to select a product, select Network Security, and then NDR Support.

To troubleshoot windows server sensors, please verify the following:

Is the server powered on?
Can the server get to the internet?
Is the Stellar Agent service running?
1. Open the Services app.
2. Look for Windows Agent Sensor Ctrl.
3. If it is not running, start it.
4. If it will not start, reboot the server and try again.
Is the SIEM DP reachable by the sensor?
1. Open the Windows Agent Sensor CLI program (requires admin access).
2. Run the command show cm
  1. If you see up or established, then the sensor is successfully connected to the SIEM DP.
  2. If you see down, then the sensor is not able to communicate to the SIEM DP. Procedure to the next step to verify firewall ports.
Ensure the required ports are open in the firewall upstream of the virtual sensor: NDR: Virtual Sensor Requirements

If you would like us to take a look or confirm that the sensor is back online, please open a ticket by visiting the MSS Ticket Portal.
When asked to select a product, select Network Security, and then NDR Support.

To troubleshoot physical sensors, please verify the following:

Is the Sensor powered on?
Ensure the required ports are open in the firewall upstream of the virtual sensor: NDR: Virtual Sensor Requirements
If the sensor is still offline after verifying the above, please schedule a meeting with a NDR engineer. They will do a screenshare with you where they will SSH into the sensor and verify that it can get to the internet & SIEM DP.
1. To do this, please open a ticket by visiting the MSS Ticket Portal.
2. When asked to select a product, select Network Security, and then NDR Support.