How to Collect Diagnostics from an EDR server in order to troubleshoot EDR Linux Sensor Connection and Communication Issues. These steps are useful for issues where:

• Sensor fails to register
• Sensor does not show in the console
• Sensor no longer connects

• EDR Server: All Supported Versions
• Linux: All Supported Versions

1. Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):

   sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap

2.  If tcpdump tool is not available in RedHat based Linux:

   yum install tcpdump

3. Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):

   sudo kill -n 10 $(pidof cbdaemon)

4. Stop the tcpdump capture (ctrl+c) and collect the packet capture
5. Initiate a Linux Sensor Diagnostic Data by issuing this command:

   sudo /opt/carbonblack/response/bin/sensordiag.sh

6. Send server diagnostics to the support team for further analysis. For clustered environments send these files for primary and all relevant secondary nodes. Run this command via terminal/ssh.

   /usr/share/cb/cbdiag --post

7. Provide the following information to the case:

   1) Is this a newly installed sensor?
   2) Are the kernel headers installed if the kernel version is 4.4+?
   3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
   4) What is the IP address of the Sensor and Server?

• Common sensor communication error messages? (HRESULT)
• HRESULT errors can be found in the SensorComms.log
• Common causes of connection issues:
  • SSL Inspection (unsupported)
  • Misconfigured Proxy
  • Misconfigured Firewall
  • Misconfigured VDI support
  • Sensor Service is not running
  • Custom WebUI port is being and not the Sensor Comm port