🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Red Cloak™ Endpoint Agent Troubleshooting

integrations endpoints red cloak secureworks edr


This document provides guidance on initial agent troubleshooting steps you can take prior to reaching out to Secureworks support for assistance for issues with agent performance, connectivity to Secureworks® Taegis™ XDR, and installation. Guidance is provided for both the Windows and Linux Agent.

Windows Agent Troubleshooting

Troubleshooting Performance Issues

In order to troubleshoot performance issues like CPU, memory spike, blue screen of death (BSoD), and application crashing, provide Secureworks support the following information and logs. If the log files are too large, ask Secureworks for a file share link to upload the logs.

Provide the following Information

Note

Load task manager as Administrator for the description of the processes to be Secureworks Red Cloak.

Task Manager Details Tab

Task Manager Details Tab

Provide the following Logs

  1. Download Process Monitor: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon.
  2. Launch Procmon.exe.
  3. Start collection in Procmon (CTRL+E).
  4. Reproduce the issue:
    • Document exact steps taken to reproduce to provide to Secureworks.
    • Note local machine time when testing started, and time zone of machine.
    • Note local time when issue occurred.
  5. Stop collection in Procmon (CTRL+E) and save the log by selecting File > Save.
  6. Select Events to save: All events and Format: PML.
  7. Change the file name to Active_<devicename>.
  8. Select OK.
  9. Clear current logs in Procmon (CTRL+X).
  10. Run the following command from an administrator command prompt to place the sensor into safe mode: C:\Program Files (x86)\Dell SecureWorks\Red Cloak\redcloak.exe --enter-safe-mode
  11. Repeat steps 3-9 to collect and save the new log as SafeMode_<devicename>.PML.
  12. Run the following command to remove the sensor from safe mode:
    C:\Program Files (x86)\Dell SecureWorks\Red Cloak\redcloak.exe --exit-safe-mode

Troubleshooting Connectivity Issues to Secureworks® Taegis™ XDR

In order to troubleshoot agent connectivity issues to Secureworks® Taegis™ XDR, provide the following details.

Troubleshooting Installation Issues

In order to troubleshoot agent installation issues, provide the following details.

Note

Installing the Red Cloak™ Endpoint Agent on Windows Server 2008 R2 or Windows 7 may require the patches described in the following Microsoft support articles:

Collecting Red Cloak Debug Logs

While troubleshooting connectivity and performance issues, Secureworks support may request debug logs from the endpoint. Follow these steps to collect the Red Cloak logs in debug mode upon request from Secureworks.

  1. Stop Red Cloak service.
  2. Open registry editor.
  3. Find the following entry:
    • Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\redcloak
    • Class Name: ImagePath
  4. Edit ImagePath original value by adding --debug=2 parameter. Note two dash characters (--) before debug.

Original: C:\Program Files (x86)\Dell SecureWorks\Red Cloak\redcloak.exe" --run-service --override-root "C:\Program Files (x86)\Dell SecureWorks\Red Cloak\\

Updated with --debug=2 parameter: C:\Program Files (x86)\Dell SecureWorks\Red Cloak\redcloak.exe" --run-service --debug=2 --override-root "C:\Program Files (x86)\Dell SecureWorks\Red Cloak\\

  1. Start Red Cloak service.
  2. Agent starts in debug mode and writes verbose information into the log files. Nothing changes in its behavior except more information in log files, and faster file growth is expected because of this.
  3. Once the log collection is completed, revert the changes. Debug mode is not recommended to be run for a longer duration than recommended by Secureworks support.

Linux Agent Troubleshooting

Troubleshooting Performance Issues

In order to troubleshoot performance issues like CPU, memory spike, and application crashing, provide Secureworks support the following information and logs. If the log files are too large, ask Secureworks for a file share link to upload the logs.

Provide the following Information

rc_collect Script for Performance Capture

On Linux Agent version 1.2.13.0 and above, we have installed an rc_collect script for performance captures. This can be used to capture over a duration and is used to do a snapshot of details on the agent that Secureworks support and development teams use for performance analysis. The script can be run for five minutes.

Usage: <agent_install_path>/bin/rc_collect <runtime in seconds> <output path>

Example: sudo /opt/secureworks/redcloak/bin/rc_collect

Example with time and output arguments: sudo /opt/secureworks/redcloak/bin/rc_collect 360 /var/tmp

Note

You may use 0 for time as a snapshot value.

Provide the following Logs

Troubleshooting Connectivity Issues to Secureworks® Taegis™ XDR

For Agent Connectivity issues to Secureworks® Taegis™ XDR, provide the following details.

Troubleshooting Installation Issues

In order to troubleshoot agent installation issues, provide the following details.

Collecting Red Cloak Debug Logs

While troubleshooting connectivity and performance issues, Secureworks support may request debug logs from the endpoint. Follow these steps to collect the Red Cloak logs in debug mode upon request from Secureworks.

  1. From the command line, execute:

vi /opt/secureworks/redcloak/bin/redcloak_start.sh

  1. Within vim (or vi), find the following line and add --debug=2:

Original: ${prefix}/bin/redcloak --run-service --override-root "${prefix}" > /dev/null 2>&1 &

Updated with --debug=2 parameter: ${prefix}/bin/redcloak --run-service --debug=2 --override-root "${prefix}" > /dev/null 2>&1 &

Note

A "Warning: Changing a readonly file" message displays, but as long as you are root, this is not an issue.

  1. Save and quit by hitting ESC and typing :wq!
  2. Restart Red Cloak service: systemctl restart redcloak
  3. Agent starts in debug mode and writes verbose information into the log files. Nothing changes in its behavior except more information in log files, and faster file growth is expected because of this.
  4. Once the log collection is completed, revert the changes. Debug mode is not recommended to be run for a longer duration than recommended by Secureworks support.

 

On this page: