App Control: How to Enable Agent Service Trace Logging from Startup
search cancel

App Control: How to Enable Agent Service Trace Logging from Startup

book

Article ID: 286650

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to configure the Agent service to begin in Debug Level 7 to troubleshoot issues during boot time.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Log in to the Console and navigate to Assets > Computers > relevant Computer.
  2. Verify the Agent shows as Connected & Up to Date.
  3. In the URL, note the value for host_id (example: https://ServerAddress/host-details.php?host_id=74)
  4. Navigate to https://ServerAddress/agent_config.php > Add Agent Config
  5. Use the following details:
    • Property Name: TMP-Max Roll QTY (or something memorable)
    • Host ID: Value from step 2 (ex: 74)
    • Value: max_rolled_trace_logs_to_keep=20
    • Status: Enabled
  6. Click Save & add another Agent Config using the following details:
    • Property Name: TMP-Max Roll Size (or something memorable)
    • Host ID: Value from step 2 (ex: 74)
    • Value: max_rolling_trace_size_mb=500
    • Status: Enabled
  7. On the endpoint in question, launch an administrative command prompt and execute the following commands to verify the Agent has received the new Agent Configs : 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
dascli showconfigprops filter *max_roll*
  8. Two values should be returned, example: 
    305. max_rolled_trace_logs_to_keep=20
306. max_rolling_trace_size_mb=500
  9. Once confirmed, issue the following commands to stop & unload the Agent: 
    dascli tamperprotect 0
net stop parity
fltmc unload paritydriver
  10. Open the Registry (Start > Run > type regedit > OK) and browse to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Parity
  11. Edit the String Value, “ImagePath” by adding “ /debuglevel 7” to the end of the registry data. Below is an example of what it should look like 
    C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe" /service /server myparityserver.com /port 41002 /debuglevel 7
  12. Reboot the machine and reproduce the issue.
  13. Launch an administrative command prompt and issue the following commands to capture the logs: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli capture "%userprofile%\Desktop\%computername%-ServiceTrace.zip"
  14. Use the following commands to return log settings to defaults, stop the service and unload the driver: 
    dascli password GlobalCLIPassword
dascli tamperprotect 0
net stop parity
fltmc unload paritydriver
  15. Open the Registry (Start > Run > type regedit > OK) and once again browse to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Parity
  16. Find the String Value, "ImagePath" and remove the /debuglevel 7 reference, similar to: 
    C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe" /service /server myparityserver.com /port 41002
  17. Load the driver & start the service once again: 
    fltmc load paritydriver
net start parity
  18. Disable or Delete the Agent Configs created in Step 5 & 6.
  19. Upload the captured diagnostics to the Vault.

Additional Information

  • Due to the volume of logging that takes place, the Agent Configs are required in order to prevent writing over important log details.
  • Make sure to remove “ /debuglevel 7” and return the Config Props to defaults. Failure to do will cause the Agent to use unnecessary disk space.
    Powered by Wolken Software