Collect Server Diagnostic Logs for Sensor Communication Issues (Linux)
search cancel

Collect Server Diagnostic Logs for Sensor Communication Issues (Linux)


Article ID: 286249


Updated On:


Carbon Black EDR (formerly Cb Response)


How to Collect Diagnostics from an EDR server in order to troubleshoot EDR Linux Sensor Connection and Communication Issues. These steps are useful for issues where:

  • Sensor fails to register
  • Sensor does not show in the console
  • Sensor no longer connects


  • EDR Server: All Supported Versions
  • Linux: All Supported Versions



  1. Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):
    sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap
  2.  If tcpdump tool is not available in RedHat based Linux:
    yum install tcpdump
  3. Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):
    sudo kill -n 10 $(pidof cbdaemon)
  4. Stop the tcpdump capture (ctrl+c) and collect the packet capture
  5. Initiate a Linux Sensor Diagnostic Data by issuing this command:
    sudo /opt/carbonblack/response/bin/
  6. Send server diagnostics to the support team for further analysis. For clustered environments send these files for primary and all relevant secondary nodes. Run this command via terminal/ssh.
    /usr/share/cb/cbdiag --post
  7. Provide the following information to the case:
    1) Is this a newly installed sensor?
    2) Are the kernel headers installed if the kernel version is 4.4+?
    3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
    4) What is the IP address of the Sensor and Server?

Additional Information

  • Common sensor communication error messages? (HRESULT)
  • HRESULT errors can be found in the SensorComms.log
  • Common causes of connection issues:
    • SSL Inspection (unsupported)
    • Misconfigured Proxy
    • Misconfigured Firewall
    • Misconfigured VDI support
    • Sensor Service is not running
    • Custom WebUI port is being and not the Sensor Comm port