Collect Server Diagnostic Logs for Sensor Communication Issues (Linux)
book
Article ID: 286249
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to Collect Diagnostics from an EDR server in order to troubleshoot EDR Linux Sensor Connection and Communication Issues. These steps are useful for issues where:
Sensor fails to register
Sensor does not show in the console
Sensor no longer connects
Environment
EDR Server: All Supported Versions
Linux: All Supported Versions
Resolution
Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):
sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap
If tcpdump tool is not available in RedHat based Linux:
yum install tcpdump
Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):
sudo kill -n 10 $(pidof cbdaemon)
Stop the tcpdump capture (ctrl+c) and collect the packet capture
Initiate a Linux Sensor Diagnostic Data by issuing this command:
sudo /opt/carbonblack/response/bin/sensordiag.sh
Send server diagnostics to the support team for further analysis. For clustered environments send these files for primary and all relevant secondary nodes. Run this command via terminal/ssh.
/usr/share/cb/cbdiag --post
Provide the following information to the case:
1) Is this a newly installed sensor?
2) Are the kernel headers installed if the kernel version is 4.4+?
3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
4) What is the IP address of the Sensor and Server?