Generate Server Diagnostic Logs for On-Prem (i.e., CBDiags)
Article ID: 285214
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Generate a server-side cbdiag report from any EDR server (Primary or Secondary) and send it to Carbon Black for troubleshooting.
Environment
- EDR: All versions
- On-Prem Installation
Resolution
WARNING: Verify there is sufficient disk space before running this command
RPM Version
- Log into the command line interface (CLI) of the Primary Server, and if needed the Secondary Server.
- Change directory to a partition with sufficient available disk space.
- Run:
sudo /usr/share/cb/cbdiag
- The diags will write to the current working directory. Upload the cbdiag*.zip to the case.
- Once uploaded, delete the file from the server in the same directory the command was run
rm cbdiag*.zip
- Repeat these steps for all Primary and Minion Servers as needed.
Container Version
- Execute the cbdiag utility
./edr-docker exec cbdiag - Pull the cbdiag*.zip into the host machine
docker exec carbonblack-edr /bin/sh -c 'tar -cf - /cbdiag*.zip' | tar -xvf - - Attach the cbdiag*.zip to the case.
- Repeat these steps for all Primary and Minion Servers as needed
Additional Information
- The Server may become unresponsive if there is not enough disk space. /tmp is used as a working directory to gather the report. If /tmp does not have enough space, specify alternative working directory:
sudo /usr/share/cb/cbdiag --tmpdir=/new/temp/directory
- Completed reports are saved in the current working directory. The report must be manually deleted once uploaded
- Required disk space will vary depending on the amount of data and logs.
- The resulting cbdiag report will be automatically uploaded to Carbon Black's servers for troubleshooting purposes when using the --post flag.
- To reduce the size of logs, limit the number of days to collect using the --no-old-logs flag
sudo /usr/share/cb/cbdiag --no-old-logs=1
Feedback
Yes
No
Powered by
