Collect Agent Performance Logs
search cancel

Collect Agent Performance Logs


Article ID: 286081


Updated On:


Carbon Black App Control (formerly Cb Protection)


Steps to collect App Control Agent logs for performance cases.


  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions


Step 1: Gather Relevant Background Information

  • Date/Time performance issue started occurring (did any change precede the start of it?)
  • Actions being performed when performance is degraded
  • Is the performance associated with a specific application? (If yes, what is the application name?).
  • Does the vendor of the application have a recommended exclusion list and has it been implemented?
  • Any paths/processes known to be associated with the application
  • Are there any blocks seen locally or within the App Control console during the performance issue?
  • Are results the same if the Agent is stopped and unloaded?
  • What is the time difference with Agent stopped & unloaded vs fully operational (enabled)?


Step 2: Gather the Logs


  1. Open an administrative command prompt
  2. Issue the commands:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalCLIPassword
    dascli setconfigprop max_rolling_trace_size_mb=0
    dascli resetcounters
    dascli flushlogs
    dascli tamperprotect 0
    dascli debuglevel 6
    dascli kerneltrace 4 -1
    dascli nettrace 1
    dascli diagnostics +performance
  3. Start a Procmon capture
  4. Collect 5-10 mins of data during the ongoing performance issue.
  5. Stop the Procmon capture and save "All Events" as a PML file.
  6. In the administrative command prompt execute the following commands to capture and reduce the logging levels to normal:
    dascli capture "%userprofile%\Desktop\"
    dascli password GlobalCLIPassword
    dascli setconfigprop max_rolling_trace_size_mb=50
    dascli debuglevel 0
    dascli kerneltrace 2
    dascli nettrace 0
    dascli diagnostics -performance
    dascli tamperprotect 1
  7. Upload all collected data.


  1. Open Terminal
  2. Issue the commands:
    cd /Applications/Bit9/Tools
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --resetcounters
    ./b9cli --flushlogs
    ./b9cli --debuglevel 4
    ./b9cli --kerneltrace 4
    ./b9cli --nettrace 1
  3. Open the macOS Activity Monitor (Applications > Utilities > Activity Monitor).
  4. Click View > Update Frequency > Often (2 sec)
  5. Collect 5-10 mins of data during the ongoing performance issue.
  6. Return to Activity Monitor, and double click the process with the performance issue. Click Sample.
  7. Once the Sample completes choose "Save" to export the results.
  8. In Terminal, capture the Agent Logs and return logging to defaults:
    ./b9cli --capture ~/Desktop/`Hostname`
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
  9. Collect System Logs
    system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
    tar -cvf ~/Desktop/`hostname`-DiagnosticReports.tar /Library/Logs/DiagnosticReports
  10. Upload all collected data.


    1. Open Terminal and issue the following commands:
      cd /opt/bit9/bin
      ./b9cli --password GlobalCLIPassword
      ./b9cli --resetcounters
      ./b9cli --flushlogs
      ./b9cli --debuglevel 4
      ./b9cli --kerneltrace 4
      ./b9cli --nettrace 1
    2. Collect 5-10 minutes of data during the ongoing performance issues.
    3. Download the attached "" script.
    4. Extract and execute the script.
      • If the endpoint is in a Medium or High Enforcement Policy the "" script will need to be granted an Approval prior to execution.
      • If the execution of the script gives you an invalid character output, you may need to clean the sh file by running the command below, then executing the script again:
        cat | col -bf >
    5. Once completed, collect the resulting "/tmp/cbp-linux-sys-info.tgz" file.
    6. Take a snapshot of the running b9daemon process using the gcore command (gcore is included with gdb which you may need to install).
      gcore 'pidof b9daemon'
    7. Capture and stop debug logging:
      sudo ./b9cli --capture /var/tmp/$
      ./b9cli --password GlobalCLIPassword
      ./b9cli --debuglevel 0
      ./b9cli --kerneltrace 2
      ./b9cli --nettrace 0
    8. Collect the System Logs.
      sudo tar cvfz /var/tmp/$HOSTNAME-SystemLogs.tgz /var/log
    9. After collection has completed, stop the Agent
    10. Reproduce issue again with the TOP command:
      top -c -n 10 -d 5 >> /var/tmp/$HOSTNAME-top_output.txt
    11. While the Agent is shutdown & unloaded, collect a FAPREDEP capture.
    12. Upload all collected data.

Attachments get_app