Carbon Black Cloud: How to collect Mac Sensor logs via Live Response
search cancel

Carbon Black Cloud: How to collect Mac Sensor logs via Live Response

book

Article ID: 285286

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How do I collect MAC logs remotely via Live Response?

Environment

  • Carbon Black Cloud: All Versions
  • Apple macOS: All Supported Versions
  • Endpoint Standard Sensor: 3.1.x.x or higher
  • Live Response enabled

Resolution

3.5.x.x Sensor and Higher
    1.  Open a new Live Response Window and type the following. 
exec sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>

Example:
exec sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture XXXXXXX /tmp
   2.  Cb Defense log zip file will be written to the specified directory.​​​​​ 
   3.  Use Live Response to download the log zip file.  The downloaded filename will be formatted ffffffff-ffff-ffff-ffff-ffffffff (where f is hexadecimal value).
get <Destination_Directory>/confer.zip

Example:
get /tmp/confer.zip

3.1.x.x - 3.4.x.x Sensor  
  1. Open a new Live Response Window and type the following.
    cd /users/shared
    execfg sudo /Applications/Confer.app/uninstall -l  <UNINSTALL_CODE> -d <Destination_Directory>
  2. Cb Defense log zip file will be written to the specified directory.​​​​​