CrowdStrikebeginner

Check CrowdStrike Falcon Sensor Status: Verify Sensor Running (Windows/Mac/Linux)

Verify CrowdStrike Falcon sensor is running with step-by-step commands for Windows (sc query csagent), Mac (falconctl stats), and Linux (systemctl status falcon-sensor). Check sensor version, service status, and troubleshoot connectivity issues.

5 min readUpdated January 2025

Ensuring the CrowdStrike Falcon Sensor is running properly on your endpoints is essential for maintaining security. This guide provides simple verification steps for Windows, macOS, and Linux to confirm that the sensor is installed, active, and communicating with the CrowdStrike Falcon Console.

Checking the Falcon Sensor on Windows

Method 1: Verify via Command Prompt

  1. Open Command Prompt by pressing Win + R, typing cmd, and pressing Enter.
  2. Type sc query csagent and press Enter.
  3. If the STATE shows RUNNING, the Falcon Sensor is active. If it is STOPPED, start it by typing net start csagent and pressing Enter.

Method 2: Verify via Control Panel

  1. Open Control Panel and go to Programs and Features.
  2. Look for CrowdStrike Falcon Sensor in the installed programs list.
  3. If it is listed, the sensor is installed.

Method 3: Check Connection to the Falcon Console

  1. Log into the CrowdStrike Falcon Console at: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Click Hosts > Host Management.
  3. Search for the computer name.
  4. If the device appears and shows as Connected, the sensor is functioning properly.

Checking the Falcon Sensor on macOS

Method 1: Verify via Terminal

  1. Open Terminal (Command + Space, type “Terminal”, and press Enter).
  2. Type sudo /Applications/Falcon.app/Contents/Resources/falconctl stats and press Enter.
  3. Look for the message “Sensor operational: true”.
  4. If the sensor is not running, restart it by typing sudo launchctl load /Library/LaunchDaemons/com.crowdstrike.falcon.Agent.plist and pressing Enter.

Method 2: Check Falcon Sensor in System Preferences

  1. Open System Settings (or System Preferences on older macOS versions).
  2. Go to Privacy & Security > Full Disk Access.
  3. Ensure CrowdStrike Falcon Sensor has the required permissions.

Method 3: Check Connection to the Falcon Console

  1. Log into the Falcon Console at https://falcon.crowdstrike.com.
  2. Click Hosts > Host Management.
  3. Search for your Mac’s hostname or serial number.
  4. If the device appears as Connected, the Falcon Sensor is working.

Checking the Falcon Sensor on Linux

Method 1: Verify the Sensor Service

  1. Open Terminal.
  2. Type sudo systemctl status falcon-sensor and press Enter.
  3. If the output shows Active (running), the sensor is operational.
  4. If the sensor is not running, start it by typing sudo systemctl start falcon-sensor and pressing Enter.

Method 2: Check Sensor Version and Status

  1. Open Terminal.
  2. Type sudo falconctl stats and press Enter.
  3. Look for the message “Sensor operational: true”.

Method 3: Verify Connection to Falcon Console

  1. Log into the Falcon Console at https://falcon.crowdstrike.com.
  2. Click Hosts > Host Management.
  3. Search for the hostname or IP address of your Linux machine.
  4. If the device appears as Connected, the Falcon Sensor is working properly.

Troubleshooting Sensor Issues

1. Sensor is Installed but Not Running

  • Restart the system and run the verification steps again.
  • Check Windows Services, macOS System Extensions, or Linux systemctl logs to ensure the service is not blocked.

2. Sensor Not Reporting to the Falcon Console

  • Ensure the endpoint has an active internet connection.
  • Type ping ts01-b.cloudsink.net in Command Prompt or Terminal and check if it responds. If the ping fails, check firewall or proxy settings.

3. Service Fails to Start

  • On Windows, type net start csagent in Command Prompt.
  • On macOS, type sudo launchctl load /Library/LaunchDaemons/com.crowdstrike.falcon.Agent.plist in Terminal.
  • On Linux, type sudo systemctl restart falcon-sensor in Terminal.

Frequently Asked Questions

Find answers to common questions

To verify that the Falcon Sensor is actively reporting, log into the CrowdStrike Falcon Console at https://falcon.crowdstrike.com. Navigate to Hosts > Host Management and search for the hostname or IP address of your endpoint. If the device appears as 'Connected', the sensor is functioning correctly. If not, check your internet connection by pinging ts01-b.cloudsink.net. If the ping fails, investigate your firewall or proxy settings, as they may be blocking communication.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon with custom permissions. Step-by-step guide to configure role-based access control (RBAC), assign permissions, and restrict user access to Falcon console features.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike