Carbon Black Cloud: How to collect Mac Sensor logs via Live Response
Article ID: 285286
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
How do I collect MAC logs remotely via Live Response?
Environment
- Carbon Black Cloud: All Versions
- Apple macOS: All Supported Versions
- Endpoint Standard Sensor: 3.1.x.x or higher
- Live Response enabled
Resolution
3.5.x.x Sensor and Higher
1. Open a new Live Response Window and type the following.
3. Use Live Response to download the log zip file. The downloaded filename will be formatted ffffffff-ffff-ffff-ffff-ffffffff (where f is hexadecimal value).
3.1.x.x - 3.4.x.x Sensor
1. Open a new Live Response Window and type the following.
exec sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory> Example: exec sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture XXXXXXX /tmp2. Cb Defense log zip file will be written to the specified directory.
3. Use Live Response to download the log zip file. The downloaded filename will be formatted ffffffff-ffff-ffff-ffff-ffffffff (where f is hexadecimal value).
get <Destination_Directory>/confer.zip Example: get /tmp/confer.zip
3.1.x.x - 3.4.x.x Sensor
- Open a new Live Response Window and type the following.
cd /users/shared execfg sudo /Applications/Confer.app/uninstall -l <UNINSTALL_CODE> -d <Destination_Directory>
- Cb Defense log zip file will be written to the specified directory.
Feedback
Yes
No
Powered by
