Collect Logs for Troubleshooting a Disconnected Agent
search cancel

Collect Logs for Troubleshooting a Disconnected Agent

book

Article ID: 286683

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To collect logs to troubleshoot a disconnected App Control agent.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

Windows

  1. On the disconnected endpoint, open an administrative command prompt and issue the following commands:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalPassword
    dascli disconnect
    dascli setconfigprop max_rolling_trace_size_mb=500
    dascli setconfigprop max_rolled_trace_logs_to_keep=4
    dascli debuglevel 7 dascli nettrace 1 dascli connect dascli healthcheck dascli status
  2. In the returned output, locate: Server Information > Server and note the address
    • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
  3. Issue the following commands:
    netstat -ano | findstr "41002"
    nslookup <ServerAddress>
    ping <ServerAddress>
    tracert <ServerAddress>
    netsh winhttp show proxy
    (for XP/Server 2003 use: proxycfg)
    
  4. Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\
    Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
    Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
    
  5. In the administrative command prompt issue the following commands:
    dascli password GlobalPassword
    dascli debuglevel 0
    dascli nettrace 0
    dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
    dascli setconfigprop max_rolling_trace_size_mb=50
    dascli setconfigprop max_rolled_trace_logs_to_keep=0
  6. Once the upload has completed, provide an update on the existing Support Case
  7. Optional: Collect a Wireshark. This may be requested during troubleshooting. Providing it upfront can reduce the number of log requests.
  8. Upload all collected data.

macOS

  1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent connection status:
    cd /opt/bit9/bin
    ./b9cli --status
  2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
    cd /Applications/Bit9/Tools
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --disconnect
    ./b9cli --setconfigprop max_rolling_trace_size_mb=500
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
    ./b9cli --debuglevel 4 ./b9cli --nettrace 1 ./b9cli --connect ./b9cli --status
  3. In the returned output, locate: Server Information > Server and note the address
    • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
  4. Set the Debug Levels back to the defaults and collect the logs:
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
    ./b9cli --setconfigprop max_rolling_trace_size_mb=50
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0
  5. Collect the System Logs::
    system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
    
  6. Upload all captured logs  and update the existing Support Case.

Linux

  1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent is running and has a Server listed:
    cd /opt/bit9/bin
    ./b9cli --status
    
  2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
    ./b9cli --password GlobalCLIPassword
    ./b9cli --disconnect
    ./b9cli --setconfigprop max_rolling_trace_size_mb=500
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
    ./b9cli --debuglevel 4 ./b9cli --kerneltrace 4 ./b9cli --nettrace 1 ./b9cli --connect ./b9cli --healthcheck ./b9cli --status
  3. In the returned output, locate: Server Information > Server and note the address
    • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
  4. Attempt communication between the endpoint and the Server Address by running the commands:
    ping <SERVERADDRESS>
    nslookup <SERVERADDRESS>
    telnet <SERVERADDRESS> <SERVERPORT>
    Note: If the Telnet utility is unavailable the timeout utility (part of the coreutils package) could be used instead:
    timeout 1 bash -c "</dev/tcp/ServerAddressHere/41002"
    echo $?
    
    An exit status of "0" indicates the Server Address is responding on the port specified (41002).
  5. Set the Debug Levels back to the defaults and collect the logs:
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
    ./b9cli --setconfigprop max_rolling_trace_size_mb=50
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0
  6. Collect the System Logs::
    sudo tar cvfz /var/tmp/SystemLogs.tgz /v
  7. Upload all collected data.