I'm not sure if someone could help me figure out what is going on with this. We are currently deploying the CrowdStrike Falcon Sensor in our environment, and have a policy that pushes out the install package and a script. The install package works without issue, but we are having some issues with the script.
When the endpoint is licensed already, the script returns a failed status code and a status message as to why it failed in Jamf ("ERROR: The machine is already licensed"), but does not return that message in the script so we can tell it to succeed in the case that it is already licensed.
#!/bin/sh
# THIS SCRIPT LICENSES THE CROWDSTRIKE FALCON SENSOR
RESULT=$(/Applications/Falcon.app/Contents/Resources/falconctl license "$4")
echo "
OUTPUT:
${RESULT}
"
Which results in the following:
Script result: Error: This machine is already licensed
OUTPUT:
Any idea what is going on here?
Best answer by mm2270
atomason wrote:
Hey Fluffy.
Thanks for the reply! I tried that and various other approaches, but it was completely inconsistent. For instance, if the command succeeded then ${RESULT} would have a value, but if it failed then it would be an empty variable. I'm convinced that CrowdStrike is not handling output to "stderr" and "stdout" in their sensor correctly causing issues with this script.
I was also going to suggest redirecting stderr to stdout, as that usually does the trick with such commands.
If that's not working, another approach you could try is to run the command but tee the output to a local tmp log file, then in your script check that log file for the result, and act accordingly.
/Applications/Falcon.app/Contents/Resources/falconctl license "$4" 2>&1 | tee > /tmp/falconinstall.log
if [[ $(grep "The machine is already licensed" /tmp/falconinstall.log) ]]; then
echo "Already licensed. Exiting."
exit 0
fi
Hey Bol! That does not make a difference in the output for me. I have actually tried to format this several different ways with the same result. For whatever reason $RESULT is empty after the command is executed, but Jamf still manages to get the output. The line:
Script result: Error: This machine is already licensed
Is caught by Jamf in the policy logs, but not in the output of $RESULT.
I believe what you would want to do is redirect stderr to stdout. I'm unable to test this myself, but you could try the following:
#!/bin/sh
# THIS SCRIPT LICENSES THE CROWDSTRIKE FALCON SENSOR
RESULT=$(/Applications/Falcon.app/Contents/Resources/falconctl license "$4" 2>&1)
echo "
OUTPUT:
${RESULT}
"
Hey Fluffy.
Thanks for the reply! I tried that and various other approaches, but it was completely inconsistent. For instance, if the command succeeded then ${RESULT} would have a value, but if it failed then it would be an empty variable. I'm convinced that CrowdStrike is not handling output to "stderr" and "stdout" in their sensor correctly causing issues with this script.
Thanks for the reply! I tried that and various other approaches, but it was completely inconsistent. For instance, if the command succeeded then ${RESULT} would have a value, but if it failed then it would be an empty variable. I'm convinced that CrowdStrike is not handling output to "stderr" and "stdout" in their sensor correctly causing issues with this script.
I was also going to suggest redirecting stderr to stdout, as that usually does the trick with such commands.
If that's not working, another approach you could try is to run the command but tee the output to a local tmp log file, then in your script check that log file for the result, and act accordingly.
/Applications/Falcon.app/Contents/Resources/falconctl license "$4" 2>&1 | tee > /tmp/falconinstall.log
if [[ $(grep "The machine is already licensed" /tmp/falconinstall.log) ]]; then
echo "Already licensed. Exiting."
exit 0
fi
I was also going to suggest redirecting stderr to stdout, as that usually does the trick with such commands.
If that's not working, another approach you could try is to run the command but tee the output to a local tmp log file, then in your script check that log file for the result, and act accordingly.
/Applications/Falcon.app/Contents/Resources/falconctl license "$4" 2>&1 | tee > /tmp/falconinstall.log
if [[ $(grep "The machine is already licensed" /tmp/falconinstall.log) ]]; then
echo "Already licensed. Exiting."
exit 0
fi
I ended up going this route simply because it works. I'm still not sure what the exact issue was, but I suspect that CrowdStrike is not properly handling 'stdout' and 'stderr' messages.
I was also going to suggest redirecting stderr to stdout, as that usually does the trick with such commands.
If that's not working, another approach you could try is to run the command but tee the output to a local tmp log file, then in your script check that log file for the result, and act accordingly.
/Applications/Falcon.app/Contents/Resources/falconctl license "$4" 2>&1 | tee > /tmp/falconinstall.log
if [[ $(grep "The machine is already licensed" /tmp/falconinstall.log) ]]; then
echo "Already licensed. Exiting."
exit 0
fi
Can I ask, is this bit of code simply appended to the end of the script that installs the license? I am having the same problem, which isn't really a problem as crowdstrike is actually deployed but it is reporting to me a failure, which causes me to have to track it down. Thanks.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.