Orbital Troubleshooting
This topic covers troubleshooting for both Windows and macOS.
SSL Proxies
Orbital does not support SSL proxies.
Orbital and osquery Logging
The Orbital nodes log to the operating system's native log files.
-
On Windows, Orbital logs to the Windows Application Event Log (event source CiscoOrbital)
-
On macOS, Orbital logs to the macOS Unified Log (subsystem com.cisco.endpoint.orbital)
-
On Linux, Orbital logs to Journald (unit cisco-orbital)
osquery logs are included with these Orbital logs, as an osqueryd subcomponent.
Orbital Service (Node) Not Installing
Symptoms
-
Orbital Installation Failure events are listed on the Secure Endpoint Console Events page with a specific error code/message.
-
Secure Endpoint Device record shows Orbital Activation In Progress.
-
Orbital does not appear on the device after some time.
Things to Check
-
Device must be connected to the Orbital service. Refer to the Orbital Requirements topic for more information.
-
The device must be able to complete a TLS handshake with the service. SSL terminating proxies like BlueCoat can complicate this.
System Snapshot from Secure Endpoint is Timing Out
Symptoms
-
The Secure Endpoint Devices page shows a warning icon and fails to display System Snapshot after some time with various error messages.
Things to Check
-
Does the device have Orbital installed and the Windows Service (Orbital) running?
-
Can the user perform any queries on the device from the Orbital Live Query Page? (select 1;)
-
What is the Last Seen timestamp of the Orbital Node from the Orbital Devices Page?
-
Is the device busy performing other queries? (check the status on the Orbital Devices Page)
-
Secure Endpoint/Orbital cloud service degradation.
Last Seen Timestamps
-
Secure Endpoint Connector Last Seen Timestamp
-
Orbital Devices Page Last Seen Timestamp
-
Corroborate both timestamps
Orbital-related Secure Endpoint Events
-
Orbital Install Failure
-
Orbital Install Success
-
Orbital Update Failure
-
Orbital Update Success
The Constraint Failed Error Message
Symptoms
An error message: Constraint Failed: The table was queried without a required column in the WHERE clause to limit the output.
Reason for Error
Several tables require constraints to be defined in the query, or they will not succeed. For example, the file table will not return every file on the system, nor will the hash table hash every file on the system. These tables require constraints and the failure to provide them will result in the error listed above.
Possible Solution
Go to the table in the schema in the osquery documentation, check which column requires a constraint, and then rewrite the query accordingly.