Contents
Easy heading | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Keep in mind that after migration, certain data won't transfer, such as created action rules (mutes, remediations, and auto-remediations) and the activity log of actions.
...
Anchor | ||||
---|---|---|---|---|
|
Console output:
...
Event Viewer output:
...
...
If the issue was caused by a null value in the "Option.json" file located within the "data/
...
RsopRepository/config" directory
...
, please modify the contents of the file to the following:
{
"host": "localhost",
"port": 2000,
"protocol": "TCP",
"gytpolServer": "gytpol-server-host-name",
"timeout": 60,
"chunkSize": 100,
"isSiemIntegrationEnabled": "false"
}
Health screen – all clients missed reports in the last 24 hours or more
If you have experienced a situation where all clients have lost connectivity to the dashboard for the past 24 hours or more, and you see orange or red bars indicating issues, please follow these steps to resolve the issue:
Restart the "gytpol Data Repository" service.
Restart the "gytpol Analyzer" service as a dependency of the "gytpol Data Repository" service.
After restarting these services, the clients should start reporting their data shortly. This action should help restore connectivity and resolve any issues causing the lack of data reporting to the dashboard.
...
Code Block |
---|
/{
"reportPurgeEnabled": true,
"minMinutesBetweenReports": 1,
"reportLogFolder": null,
"removeDuplicateReports": true,
"reportMaxSubmitSeconds": 20,
"reportMaxSizeKb": 100000,
"reportQueueMaxConcurrentInsertions": 100,
"reportQueueInsertionTimeoutSeconds": 20,
"reportQueueMaxItems": 10000,
"localUploadQueue": false,
"minLogSeverity": 5
} |
If the issue was caused by a null value in the "Option.json" file located within the "data/Analyzer/config" directory, please modify the contents of the file to the following:
Code Block |
---|
{
"MaxTraceLogFileKiB": 5000,
"MaxTraceLogFiles": 10,
"msiCleanerEnabled": false,
"minLogSeverity": 5,
"reportMaxSubmitSeconds": 20,
"aesKey32BytesBase64String": "7IY5QsK5uoyczMcPM8UN1FmAAUPwW8m2s11uXTIRRjU=",
"aesIV16BytesBase64String": "j/KY2HHiuUiZCE+arMWyvQ=="
} |
Once done, please start the services - Data Repository first and then Analyzer.
Health screen – all clients missed reports in the last 24 hours or more
If you have experienced a situation where all clients have lost connectivity to the dashboard for the past 24 hours or more, and you see orange or red bars indicating issues, please follow these steps to resolve the issue:
Restart the "gytpol Data Repository" service.
Restart the "gytpol Analyzer" service as a dependency of the "gytpol Data Repository" service.
After restarting these services, the clients should start reporting their data shortly. This action should help restore connectivity and resolve any issues causing the lack of data reporting to the dashboard.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
To gain insight into the causes of any client-related issues, it's recommended to examine the logs found in the directory "C:\Program Files\WindowsPowerShell\Modules\gytpol\Log." By reviewing these logs, you can better investigate and comprehend the specific problems you're encountering.
...
To determine whether this issue is at play, you can conduct a connection test using PowerShell:
Test-NetConnection _gytpol -port 9093
It's important to note that this test encompasses both connectivity and DNS resolution. It's crucial that the hostname "_gytpol" resolves to the same server name as the Fully Qualified Domain Name (FQDN) of the GYTPOL application server.
...
Should the test yield a "False" result, it's recommended to collaborate with your network team to inspect and potentially open the requisite ports to rectify the issueto note that this test encompasses both connectivity and DNS resolution. It's crucial that the hostname "_gytpol" resolves to the same server name as the Fully Qualified Domain Name (FQDN) of the GYTPOL application server.
...
Should the test yield a "False" result, it's recommended to collaborate with your network team to inspect and potentially open the requisite ports to rectify the issue.
NullReferenceException in client logs
If the client isn’t reporting and the log shows this:
Code Block |
---|
2024-08-12T06:27:04 ERROR trigger(10780) << Main << Failed to run action GytpolClient.CliActions.CliActionTrigger.
Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at GytpolClient.services.StateScanTrigger.UpdateState(ClientStateConfig state, Boolean value) in C:\jenkins\workspace\Windows-Client-Build\agent\src\GytpolClientFW2\services\ServiceState.cs:line 105
at GytpolClient.services.ClientStateProp`1.Set(TValue value) in C:\jenkins\workspace\Windows-Client-Build\agent\src\GytpolClientFW2\services\ServiceState.cs:line 37
at GytpolClient.services.ServiceState.set_ScanTrigger(Boolean value) in C:\jenkins\workspace\Windows-Client-Build\agent\src\GytpolClientFW2\services\ServiceState.cs:line 208
at GytpolClient.CliActions.CliActionTrigger.Run() in C:\jenkins\workspace\Windows-Client-Build\agent\src\GytpolClientFW2\CliActions\CliActionTrigger.cs:line 17
at GytpolClient.Program.Main(String[] args) in C:\jenkins\workspace\Windows-Client-Build\agent\src\GytpolClientFW2\Program.cs:line 92 |
Please verify that all the files in C:\Program Files\WindowsPowerShell\Modules\gytpol\Config
are present.
There should be four files in total, as listed below.
...
Please also ensure that "state.json" is not empty and that "client.json" contains the following information:
Code Block |
---|
{"isTerminal":false,"archiveEnabled":false} |
If the "state.json" file is empty or contains NULL values, please delete the file and run the gytpolTask
to initiate a scan. The scan should recreate the "state.json" file, and the device should report correctly.
Anchor | ||||
---|---|---|---|---|
|
...
If a proxy server is configured, it will be displayed in the command output.
Powershell:
$proxySettings = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
if ($proxySettings.ProxyEnable -eq 1)
{
Write-Output "Proxy Server: $($proxySettings.ProxyServer)"
}
else {
Write-Output "Proxy is not enabled."
}
If proxy is set, this will be the result:
...