Orbital Troubleshooting
This troubleshooting topic contains information that relates to both the Windows and macOS operating systems. Information specific to the Windows operating system is included in its own help topic, as is information specific to macOS.
SSL Proxies
Orbital does not support SSL proxies.
Orbital and osquery Logging
The Orbital node on a device does not log to their own, separate files. Instead, they log to the operating system's native log files. This means that:
-
in Windows, Orbital logs to the Windows Application Event Log (event source CiscoOrbital)
-
in macOS, Orbital logs to the macOS Unified Log (subsystem com.cisco.endpoint.orbital)
-
in Linux, Orbital logs to Journald (unit cisco-orbital)
osquery logs are included with these Orbital logs, as an osqueryd subcomponent.
Orbital Service (Node) Not Installing
Symptoms
-
Orbital Installation Failure events are listed on the Secure Endpoint Console Events page with a specific error code/message.
-
Secure Endpoint Device record shows Orbital Activation In Progress.
-
Orbital does not appear on the device after some time has passed.
Things to Check
-
Device must have connectivity to the Orbital service. See [Orbital Requirements] for more information.
-
The device must be able to complete a TLS handshake with the service. SSL terminating proxies like BlueCoat can complicate this.
System Snapshot from Secure Endpoint is Timing Out
Symptoms
-
The Secure Endpoint Devices page shows an orange triangle and fails to display System Snapshot after some time with various error messages.
Things to Check
-
Does the device have Orbital installed and the Windows Service (Orbital) running?
-
Is the user able to perform any queries on the device from the Orbital Live Query Page? (`select 1;`)
-
What is the Last Seen timestamp of the Orbital Node from the Orbital Devices Page?
-
Is the device busy performing other queries? (can check busy status on Orbital Devices Page)
-
Secure Endpoint cloud / Orbital cloud service degradation
Last Seen Timestamps
-
Secure Endpoint Connector Last Seen Timestamp
-
Orbital Devices Page Last Seen Timestamp
-
Corroborate both timestamps
Orbital-related Secure Endpoint Events
-
Orbital Install Failure
-
Orbital Install Success
-
Orbital Update Failure
-
Orbital Update Success
The Constraint Failed Error Message
Symptom
You receive the error message: Constraint Failed: The table was queried without a required column in the WHERE clause to limit the output.
Reason for Error
Several tables require constraints to be defined in the query, otherwise they will not succeed. For example, the file table will not return every file on the system, nor will the hash table hash every file on the system. These tables require constraints and the failure to provide them will result in the error listed above.
Possible Solution
Check the table in the schema in the osquery documentation and see which column requires a constraint, and then rewrite the query accordingly.