EDR: How to Collect Diagnostic Logs for Sensor Communication Issues (Linux)
search cancel

EDR: How to Collect Diagnostic Logs for Sensor Communication Issues (Linux)

book

Article ID: 286249

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to Collect Diagnostics for Linux Sensor Connection and Communication Issues:

  • Sensor fails to register
  • Sensor does not show in the console
  • Sensor no longer connects

Environment

  • EDR: All Supported Versions
  • Linux: All Supported Versions

 

Resolution

  1. Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):
    sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap
  2.  If tcpdump tool is not available in RedHat based Linux:
    yum install tcpdump
  3. Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):
    sudo kill -n 10 $(pidof cbdaemon)
  4. Stop the tcpdump capture (ctrl+c) and collect the packet capture
  5. Initiate a Linux Sensor Diagnostic Data by issuing this command:
    sudo /opt/carbonblack/response/bin/sensordiag.sh
  6. Upload the Tcpdump capture and Sensor diagnostics to CBVault
  7. Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Hosted EDR Customers)
    /usr/share/cb/cbdiag --post
  8. Provide the following information to the case and let the support engineer know the logs have been uploaded:
    1) Is this a newly installed sensor?
    2) Are the kernel headers installed if the kernel version is 4.4+?
    3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
    4) What is the IP address of the Sensor and Server?

Additional Information