Gathering Information for Rio Troubleshooting Tickets

Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Huntress Agents
Environment: Huntress, Windows, Mac OS
Summary: If the Huntress Rio service appears to be crashing, or if your host is experiencing high memory usage caused by the Rio agent, there is some information we will need to help you out. 

Common Issues Noted

Information to Collect

Initial Troubleshooting Steps

Please do NOT uninstall the Huntress Agent as a first troubleshooting step. This results in a lack of visibility to the host and all log history is removed which can make troubleshooting difficult. Only remove the agent as a "last step" measure. 

When the Rio agent is experiencing the following: 

• Crashing
• High memory usage
• Possible interference with another application

What information should be submitted to Product Support for review?

• Name(s) of impacted host(s)
• What is the Windows Version and service pack? What version of macOS?
• What is the Huntress agent (and updater version) and Rio agent version?
• Is the system patched and up to date with windows updates?
  • Please update the host to all recent Windows updates and Huntress updates to ensure full compatibility with the Rio service
• Are there any other security products installed on this host? Examples:
  • Antivirus tools other than Defender antivirus
  • XDR, MDR, EDR
• Names of any line of business applications, backup software tools, or database applications being impacted by the Rio service
• Verify all exceptions are in place if running an antivirus or security tool other than Defender 
  • Allow list guide
• Run this connection tester to verify there are no network blocks
  
  • Attach the log
• Gather Process Monitor (Procmon) logs in Windows Systems
  • Procmon Usage Guide
• Windows event logs
  • Zipping the files to attach to the ticket usually works to allow ALL events to be sent, but if the file size is too large, please provide at least 7 days of log history including at least 24 hours prior to the event starting, or logs from 24 hours before the event occurred to the day of reporting, whichever is longer.  Example: If the issue was originally reported to you on June 5th, and today is June 8th but the event started on May 29th, please provide logs from May 28th to June 5th at a minimum. The more logs we have the better!
    • Application
    • System
    • Any logs specific to the issue at hand
• Huntress agent logs
  
  • Windows logs (not all may be present, this is normal) 
    

    • C:\Program Files\Huntress\HuntressAgent.log – Huntress Agent log file

    • C:\Program Files\Huntress\HuntressUpdater.log – Huntress Agent Updater log file

    • C:\Program Files\Huntress\check.log – Update check log

    • C:\Windows\Temp\HuntressInstaller.log – Huntress installer log

    • C:\Program Files\Huntress\Rio\rio.log - Process Insights / Rio log

  • Mac logs:
    • Pull Huntress logs from /Library/Application Support/Huntress/HuntressAgent
    • Pull install logs from /tmp/ (easy to find via terminal, with Finder you have to use the Go->Go To Folder menu to find it. Files we're looking for are huntressagent-pkg-install hagent.yaml or huntressagent
• Is it running Defender or Defender for Endpoint?
• What troubleshooting steps have you already taken?
• Screenshots (task manager processes/ memory tabs/ logs)

Gather the above and submit your request to https://support.huntress.io/hc/en-us/requests/new to get started!

What can I do in the meantime?

The best course of action would be to first pull the Rio logs to send to us and then restart (stop and start) the Rio agent service. If issues persist, only after securing those logs should you proceed to the next step while troubleshooting with our team.

Excluding your host or organization from Process Insights is a great way to minimize interruptions while we investigate. To learn more, follow the guide above. Stopping the Rio service this way removes all logs. Be sure to save the logs before excluding the service.