Falcon Orchestrator Client Service - Dying after startup

[cloudjumper2000]

My team noticed we were not receiving alerts via email. Found out the Falcon Orchestrator Client service terminated unexpectedly. Event ID: 7031

Looking in:
C:\Program Files (x86)\Falcon Orchestrator\RunLog.txt
We see several of these errors:

2017-06-02 10:51:22,331 FATAL FalconOrchestrator.Client.EventModel - [21145] Error occured while trying to save authentication activity audit event to database
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
   at System.DateTime.Add(Double value, Int32 scale)
   at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
   at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

Could you provide assistance with how to resolve this or what we can check next to provide more info?

Thanks! FJ

PS: Is slack not an option for support? Seems I need a crowdstrike email to create an account for https://falcon-orchestrator.slack.com/

[mr-burnse]

Hey FJ - You don't need a CS domain to join slack, just sign up through here https://falcon-orchestrator.herokuapp.com/. As for the issue being reported, please see below:

This issue just surfaced this week as the UTCTimestamp field on events of type AuthActivityAuditEvent is being pushed through the API with two types of unix epoch formatted timestamps...one with milliseconds and one without. Orchestrator is expecting a certain format and is crashing because of this. I will look to provide a bug fix for this early next week.

[cloudjumper2000]

Thanks for the response and I was able to join slack. Please do let us know when a fix is available for the previously mentioned issue.

[mr-burnse]

Fix has been published here. Please follow implementation steps to apply it.

[cloudjumper2000]

So we have replaced the EXE but receive this error when trying to start the service:

Service cannot be started. System.InvalidOperationException: No connection string named '**FalconOrchestratorDB**' could be found in the application config file.
   at System.Data.Entity.Internal.LazyInternalConnection.Initialize()
   at System.Data.Entity.Internal.LazyInternalConnection.get_Connection()
   at System.Data.Entity.Internal.LazyInternalContext.get_Connection()
   at FalconOrchestrator.DAL.DatabaseHelpers.TestConnection()
   at FalconOrchestrator.Client.FalconOrchestratorService.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

I do see this line in the web.config:

<connectionStrings>
    <add name="**FalconOrchestratorDB**" connectionString="metadata=res://*/FalconOrchestratorDB.csdl|res://*/FalconOrchestratorDB.ssdl|res://*/FalconOrchestratorDB.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=*********;initial catalog=FalconOrchestrator;user id=********;password=********;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient"/>
  </connectionStrings>

Any ideas?

[mr-burnse]

Web.config is only used by the web application. Can you check the connection string is there in the client service configuration file? This is located at C:\Program Files (x86)\Falcon Orchestrator\FalconOrchestrator.Client.exe.config.

[cloudjumper2000]

The connection string is there in the above location as well. Any other ideas?

[mr-burnse]

Resolved as per discussion on Slack.