ConnectWise Automate - Remote monitor (orphaned agent)

You can see more information on Orphaned Agent by clicking here.

This guide will go through creating a remote monitor (exe monitor) in ConnectWise Automate to allow you to monitor if an Agent has been Orphaned. It is a single-line PowerShell command that's run to parse the HuntressAgent.log file and look for the status code "401." If it returns a 401 (forbidden), the monitor will fail. 

Automate remote monitors require a single command-line to run. The monitor in this guide runs a single-line PowerShell command use to the parse the HuntressAgent.log to look for error 401. 

If you have any enhancements you'd like for us to share with other Partners, feel free to email support@huntress.io. 

Note that this, along with anything computer code, it comes with its limitations. This documentation was created in a controlled environment. There may be instances where the monitor may not function as expected. The best places for help on these issues are ConnectWise University Automate Documentation, MSPGeek, and r/labtech.

Creating Advanced Search Group

If you have already created a search group either by following Automate to Manage Billing, or creating one on your own, you can skip to section 2. 

  1. Go to Automation>Advanced Searches and create a new search
  2. Customize the search to your liking, below is what we recommend. Save the search as "Software\Software - Huntress" (or something similar). 
  3. Go to Browse>Groups. Right-click on "Groups" and hit "create group"
  4. Set the "Computers" under "AutoJoin Searches." And add the "Huntress" product we created earlier under the "Managed Services" Tab. 

Creating the Monitor

  1. Open the group created in Section 1. Go to Computer>Remote Monitors. Click Add at the bottom. Select Monitor the results of an Executable.
  2. Copy the code block below into Executable / Arguments
    %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -Command "if (Test-Path 'C:\Program Files\Huntress\HuntressAgent.log') {$Path = 'C:\Program Files\Huntress\HuntressAgent.log'} elseif (Test-Path 'C:\Program Files (x86)\Huntress\HuntressAgent.log') {$Path = 'C:\Program Files (x86)\Huntress\HuntressAgent.log'} else {$Path = 'Huntress Log File Missing'}; if ($Path -notmatch 'HuntressAgent.log') {Write-Output $Path} else {$Log = Get-Content $Path | ForEach-Object { if ($_ -match '(?<time>\d+-\d+-\d+T\d+:\d+:\d+-\d+:\d+).+(?<level>(?<=level=)\w+).+(?<msg>(?<=msg=).*)') {$Matches.Remove(0); [PSCustomObject]$Matches}} | Where-Object {$_.level -match 'error' -and $_.msg -match 'status code:401'}; if ($Log.count -ge 1) {Write-Output 'Huntress Agent is orphaned. Please uninstall and reinstall'} else {Write-Output 'Huntress Agent is not Orphaned'}}"
    	

  3. Change Comparison Function to Contains and enter in "is not orphaned"
  4. Choose your desired check interval (Daily should be more than enough). 
  5. Choose your desired Alert Template settings (Create Manage ticket, send email, raise alert, do nothing, etc.) 
  6. Create your desired alert message. We suggest something like: 
    %NAME% %STATUS% on %CLIENTNAME%\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.
    	

  7. Give it a name. We just went with "Huntress Agent Orphan Detector"
  8. If you double click the line-item, it will show all the Agent it has been installed on and their status (it may take a few minutes before it starts reaching computers) 

Need help? Click here to Contact Us Click here to Contact Us