Orbital Troubleshooting
This troubleshooting topic contains information that relates to both the Windows and macOS operating systems. Information specific to the Windows operating system is contained in its own help topic, as is information specific to macOS.
SSL Proxies
Orbital does not support SSL proxies.
Orbital and osquery Logging
Orbital's node on an endpoint does not log to their own, separate files.Instead, they log to the operating system's native log files.This means that:
-
in Windows, Orbital logs to the Windows Application Event Log (event source CiscoOrbital)
-
in macOS, Orbital logs to the macOS Unified Log (subsystem com.cisco.endpoint.orbital)
-
in Linux, Orbital logs to Journald (unit cisco-orbital)
osquery logs are included with these Orbital logs, as an osqueryd subcomponent.
Orbital Service (Node) Not Installing
Symptoms
-
Orbital Installation Failure events are listed on the Secure Endpoint Console Events page with a specific error code/message.
-
Secure Endpoint Computer record shows Orbital Activation In Progress.
-
Orbital does not appear on the endpoint after some time has passed.
Things to Check
-
Endpoint must have connectivity to Orbital service. See [Orbital Requirements] for more information.
-
The endpoint must be able to complete a TLS handshake with the service. SSL terminating proxies like BlueCoat can complicate this.
Forensic Snapshot from Secure Endpoint is Timing Out
Symptoms
-
Secure Endpoint Computers page shows an orange triangle and fails to display Forensic Snapshot after some time with various error messages
Things to Check
-
Endpoint must have Orbital installed and the Windows Service (Orbital) running
-
Is the user able to perform any queries on the endpoint from the Orbital Live Query Page? (`select 1;`)
-
What is the Last Seen timestamp of the Orbital Node from the Orbital Endpoints Page?
-
Endpoint is busy performing other queries (can check busy status on Orbital Endpoints Page)
-
Secure Endpoint cloud / Orbital cloud service degradation
Last Seen Timestamps
-
Secure Endpoint Connector Last Seen Timestamp
-
Orbital Endpoints Page Last Seen Timestamp
-
Corroborate both timestamps
Orbital-related Secure Endpoint Events
-
Orbital Install Failure
-
Orbital Install Success
-
Orbital Update Failure
-
Orbital Update Success
The Constraint Failed Error Message
Symptom
You receive the error message: Constraint Failed: The table was queried without a required column in the WHERE clause to limit the output.
Reason for Error
There are several tables that require constraints be defined in the query or they will not succeed.For example, the file table will not return every file on the system, nor will the hash table hash every file on the system. These tables require constraints and the failure to provide them will result in the error listed above.
Possible Solution
Check the table in the schema in the osquery documentation and see which column requires a constraint, and then rewrite the query accordingly.