How to verify the CrowdStrike Falcon Sensor is Running Properly

4 February 11, 2025

Ensuring the CrowdStrike Falcon Sensor is running properly on your endpoints is essential for maintaining security. This guide provides simple verification steps for Windows, macOS, and Linux to confirm that the sensor is installed, active, and communicating with the CrowdStrike Falcon Console.

Checking the Falcon Sensor on Windows

Method 1: Verify via Command Prompt

  1. Open Command Prompt by pressing Win + R, typing cmd, and pressing Enter.
  2. Type sc query csagent and press Enter.
  3. If the STATE shows RUNNING, the Falcon Sensor is active. If it is STOPPED, start it by typing net start csagent and pressing Enter.

Method 2: Verify via Control Panel

  1. Open Control Panel and go to Programs and Features.
  2. Look for CrowdStrike Falcon Sensor in the installed programs list.
  3. If it is listed, the sensor is installed.

Method 3: Check Connection to the Falcon Console

  1. Log into the CrowdStrike Falcon Console at https://falcon.crowdstrike.com.
  2. Click Hosts > Host Management.
  3. Search for the computer name.
  4. If the device appears and shows as Connected, the sensor is functioning properly.

Checking the Falcon Sensor on macOS

Method 1: Verify via Terminal

  1. Open Terminal (Command + Space, type “Terminal”, and press Enter).
  2. Type sudo /Applications/Falcon.app/Contents/Resources/falconctl stats and press Enter.
  3. Look for the message “Sensor operational: true”.
  4. If the sensor is not running, restart it by typing sudo launchctl load /Library/LaunchDaemons/com.crowdstrike.falcon.Agent.plist and pressing Enter.

Method 2: Check Falcon Sensor in System Preferences

  1. Open System Settings (or System Preferences on older macOS versions).
  2. Go to Privacy & Security > Full Disk Access.
  3. Ensure CrowdStrike Falcon Sensor has the required permissions.

Method 3: Check Connection to the Falcon Console

  1. Log into the Falcon Console at https://falcon.crowdstrike.com.
  2. Click Hosts > Host Management.
  3. Search for your Mac’s hostname or serial number.
  4. If the device appears as Connected, the Falcon Sensor is working.

Checking the Falcon Sensor on Linux

Method 1: Verify the Sensor Service

  1. Open Terminal.
  2. Type sudo systemctl status falcon-sensor and press Enter.
  3. If the output shows Active (running), the sensor is operational.
  4. If the sensor is not running, start it by typing sudo systemctl start falcon-sensor and pressing Enter.

Method 2: Check Sensor Version and Status

  1. Open Terminal.
  2. Type sudo falconctl stats and press Enter.
  3. Look for the message “Sensor operational: true”.

Method 3: Verify Connection to Falcon Console

  1. Log into the Falcon Console at https://falcon.crowdstrike.com.
  2. Click Hosts > Host Management.
  3. Search for the hostname or IP address of your Linux machine.
  4. If the device appears as Connected, the Falcon Sensor is working properly.

Troubleshooting Sensor Issues

1. Sensor is Installed but Not Running

  • Restart the system and run the verification steps again.
  • Check Windows Services, macOS System Extensions, or Linux systemctl logs to ensure the service is not blocked.

2. Sensor Not Reporting to the Falcon Console

  • Ensure the endpoint has an active internet connection.
  • Type ping ts01-b.cloudsink.net in Command Prompt or Terminal and check if it responds. If the ping fails, check firewall or proxy settings.

3. Service Fails to Start

  • On Windows, type net start csagent in Command Prompt.
  • On macOS, type sudo launchctl load /Library/LaunchDaemons/com.crowdstrike.falcon.Agent.plist in Terminal.
  • On Linux, type sudo systemctl restart falcon-sensor in Terminal.