FAQ

If you have a question about using Edge DX, you might be able to find the answer below in the list of Frequently Asked Questions (FAQ) about Edge DX.

Data Display

Why am I not seeing anything is this report?

• Check the Date Range. Remember that the Date Range is cached, so that a previous Date Range selection remains until you log out of Edge DX and then log in again.

• There is a 10 minute delay in uploading data from the agent. If the agent was offline for a long time, then it can take a while for its cache to be uploaded. Older events are uploaded first.
• Processes are only recorded after they stop (exit), not when they start. You do not see processes before they are exited.

Why is the Windows Event Log report empty?

• Check your Windows Event Log Collection settings under Configuration > Settings > Agent. The agent only collects the events configured there.

What are Custom Reports?

• See Custom Reports in Edge DX for information.

Can I create a Custom Chart?

• Currently, creation of custom charts is not supported. Click Export to CSV to export data to an external application. Advanced users can extract data directly through the API.

Why do I not see any CPU data or Active Processes?

• Check Device Events to see if sipagent.exe is being blocked by one of your security products. To solve the problem, make sure you perform the necessary whitelisting described in the prerequisites article.

Why is the Active Processes grid empty?

• The device has been offline for more than 10 minutes.
• The device has only just come online and has not yet sent its first update. Wait 20-30 seconds. If you have WebSockets working on the device you should see Active Processes in about 10 seconds.

Why do I not see some processes in the CPU Usage widget?

• The only processes which are displayed in the CPU Usage widget are those which consume more than 5% of available CPU and RAM resources, over a 60-second sample period.
• CPU Usage values are the average usage over the 60-second sample period. For example, if a process uses 100% for 6 seconds and then goes back to idle, the CPU Usage value for the 60-second sample window is 10%.
• The machine OS does not allow queries of some highly secure OS components, or if a large amount ofCPU and RAM resources is taken by System Interrupts.
• For Mac and Linux: Only processes running at the time the sample is taken are captured, so if a process stops before the end of the 60-second sample window, the system is unaware of it.
• For Windows, processes which stopped during the 60-second sample window are captured and displayed.

Why is there nothing in the Installed Applications or the Missing Patches Report?

• These reports are populated once a day, and first run about 15 mins after the agent starts. The agent must be online for the Missing Patches report to be populated, and the Windows Update engine is slow and can take at least 10 mins to run.
• The Missing Patches report uses the built-in Windows Update COM library, so it works against Microsoft's patch database. It only covers Microsoft patches, not 3rd party.
• The Missing Patches and Installed Applications reports are not yet supported for macOS.
• The Missing Patches report is not yet supported for Linux.

When is the User Profile data (shown in the User Profiles Report) collected?

• User Profile data is collected at logon, when the user profile is loaded into the session. The User Profiles Report shows one profile record (and drilldown) for every user logon.

Device Registration

Why do I not see any devices when I know I have some registered?

• Check if the devices are offline (i.e., no communication for over an hour) and you have Hide Offline Devices selected.

• Check if the devices are offline (i.e., no communication for over an hour) and you have clicked a column which displays charts (e.g., Network Latency, CPU Usage, etc.) Clicking a column sorts according to that column, and offline devices are hidden when sorting by a column containing charts (as noted in the UI - see screenshot below.)

My device cannot register or connect to the Edge DX cloud service.

• Make sure you meet the all of the Edge DX prerequisites.
• You may have used the wrong Device Registration Code. Be sure to use the correct one from Configuration > Downloads.
• Check to see if there is a Web Proxy problem.

How do I configure a network Proxy?

• When you install the Windows Agent Manager interactively, you can select the option to configure a proxy:

• When you install the Windows Agent Manager from a command line (e.g., SCCM, Intune), you can enter proxy= on the msiexec.exe command line (you can use an IP or a DNS name):

msiexec /i agentmanagersetup.msi /qn DEVREGCODE=c18d1234fd3a99c912d56b24567f10d2fea61234 TENANT=whatever.sip.controlup.com ALLUSERS=1 PROXY=proxy.my.org:8080

• For Windows, you can also use the Registry. Add the entry, and then restart the Agent and Agent Manager services. The registry value goes in HKLM\SOFTWARE\Avacee\SIP. Add a REG_SZ (string) called “ProxyAddress”.

• For Linux, add a proxy parameter on the command line that starts the agent binary, for example:

proxy=1.2.3.4:8080

• For Mac 2.7+ (native agent), configure the proxy in macOS.
• For all platforms, you can also set up a system- level environment variable called HTTPS_PROXY, and then restart the Agent and Agent Manager. See HttpClient.DefaultProxy Property (System.Net.Http).

General

How do I force a device to use a specific agent version?

To force a device to use a specific agent version, perform the following steps:

1. Disable the Agent Manager service (to prevent it from upgrading/downgrading the agent to the production version).
2. Download and install the selected agent version. Make sure your tenant and device registration code are in the registry or on the msiexec command line.

How much network traffic does an agent send each day?

• The amount of data uploaded by an agent each day can vary widely, depending on both the extent of end-user activity, as well as the configuration of what end-user activity is collected (e.g., app foreground and URL activity, process whitelist, etc.)
• A rough estimate is between 5MB uploaded per device per day, up to as much as 20MB for a device that is being used around the clock.

What are "SIP", "AI", and "CPE"?

• "SIP", "AI", and "CPE" are all acronyms for the product names which preceded "Edge DX". "AI" will no longer be in use soon, but "SIP" will probably remain in use.

How can I scrape the Windows Event Log on a remote device?

• Under Configuration > Settings > Agent > Windows Event Log Collection, you can select events to collect and monitor.
• To capture even more events, you could use a script. Refer to the Edge DX Scripting Guide.

Network Latency - How do I change where it pings?

• Configure targets under Configuration > Settings > Network Latency. See Network Performance for more information.

I'm running a Command from Actions in the Device page, but nothing is happening.

• This just starts a process with arguments, it is not a command prompt. For example, if you want to use mkdir (which is not a binary or exe) you have to use “cmd /c=mkdir %temp%\hello”.
• Commands run as System, so processes start in the background, don't run in the user session, and have no access to a desktop.

How can I troubleshoot Edge DX performance for my organization?

• Usually troubleshooting questions are escalated to the product team, but you can get some basic info from this query:
  https://<tenant>.sip.controlup.com/api/hello?get_server_metrics=true

How does Edge DX use WebSockets?

• From the 2.6 agent onwards, each device attempts to connect to the tenant using a WebSocket. This is a long-running connection, initiated by the device (still outbound 443 HTTPS), which allows the tenant to send actions and scripts instantly to the agent.
• Some proxies do not allow WebSockets, and they also cannot be established on mobile hotspots. In these cases, the agent reverts to polling every 15 seconds.

Alerts

Why am I not getting Alerts?

• Check the conditions configured for the Alert (see Edge DX Alerts for more information):

* Time Window - For most Alerts you'll want a Time Window of at least 900 seconds. Most data is cached on the agent for 10 minutes before being uploaded. If you have a Time Window of < 600 seconds (10 minutes) a lot of events can be missed if they happened 10 minutes ago, and were waiting in the cache.
* Number of Hits - An alert registers only if the configured threshold is exceeded more times than the configured Number of Hits in the configured Time Window. If the Number of Hits is set too high for the Time Window, alerts can be missed. For example, if the Number of Hits is set to 20 and the Time Window is only 600 seconds (10 minutes), you will not receive an alert since there is no way that the device will exceed the threshold twenty times in a 10-minute window.

• If a device comes back online after a few hours and uploads its data you might not get an alert because the system takes into account the time that the event happened, NOT the time when it was uploaded to the server.
• Check Configuration >Data to confirm that the the event you think you should have received an alert about was recorded in the database, and that its recorded _created_local time occurred within the configured Time Window.
• Check if the Retrigger Delay is set too high. The Retrigger Delay parameter prevents you from being flooded with alerts every 60 seconds, but if it is configured to a value which is too high, you might not receive alerts for an excessively long period of time.

Why am I getting duplicate alerts?

• Check if you have multiple alerts configured for the same data.

Why can't I select a Custom Action?

• Check to confirm that you have selected a Device Platform (Windows / Mac / Linux).

Scripting

What should I do if I feel completely in the dark about scripts?

• Refer to the Edge DX Scripting Guide.

Can I write a script that uses the Device Group? (Not the AD groups, the CPE one)

• Yes, use the SIPDEVICEGROUP environment variable.

Why is CarbonBlack or other security software blocking PowerShell?

• If PowerShell is blocked by any security software, the sipagent.exe process may need to be whitelisted so that it can run PowerShell. Most scripts run as system, but we recommend allowing the user context if you are creating or running scripts as a user account.

Why do certain characters in script output cause problems?

• By default PowerShell output is in ASCII (aka UTF-7) and Unicode characters are converted to something which looks similar in the ASCII character set, which can cause chaos with JSON formatted data. The simple fix is to add the following before writing any output to stdout:

[Console]::OutputEncoding = [System.Text.Encoding]::UTF8

In a script, how do I filter by the Device Group set in the Devices page?

• Use the Device Group environment variable SIPDEVICEGROUP. The agent updates this every time it does a config refresh.

Why does data output from my scripts get rounded to an integer?

• To avoid problems with mixed FLOAT and LONG records in ElasticSearch, which cause searching and sorting to fail.
• If you want to store something like milliseconds, multiply by 1000 before you output the value.

Why don’t I see events from the SIP Service Start trigger?

• Device Events are not cached locally and so will not be sent if the device is offline. The SIP Service Start trigger will always run at agent start but you won’t see an event if the device is offline.

Why is the Missing Patches script creating so many errors in the System Event Log?

• The Missing Patches script uses the Windows Update agent built into Windows, and it throws errors based on various problems it encounters. In the script you can see that there is an interpretation of some of the errors, e.g., when the device is offline or cannot connect to the Microsoft patch database. You can see the Missing Patches script (on Windows) in C:\ProgramData\Avacee\sip_agent\scripts at builtin_missing_patches_win.ps1
• Sometimes Windows Update is disabled by another patch engine, or by Group Policy. In this case it is best to disable the script.