To collect logs to troubleshoot a disconnected App Control agent.

• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions
• macOS: All Supported Versions
• Linux: All Supported Versions

Windows

1. On the disconnected endpoint, open an administrative command prompt and issue the following commands:

   cd "C:\Program Files (x86)\Bit9\Parity Agent"
   dascli password GlobalPassword
   dascli disconnect
   dascli debuglevel 6
   dascli nettrace 1
   dascli connect
   dascli healthcheck
   dascli status
   

2. In the returned output, locate: Server Information > Server and note the address
   • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
3. Issue the following commands:

   netstat -ano | findstr "41002"
   nslookup <ServerAddress>
   ping <ServerAddress>
   tracert <ServerAddress>
   netsh winhttp show proxy
   (for XP/Server 2003 use: proxycfg)
   

4. Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\

   Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
   Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
   

5. In the administrative command prompt issue the following commands:

   dascli password GlobalPassword
   dascli debuglevel 0
   dascli nettrace 0
   dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"

6. Once the upload has completed, provide an update on the existing Support Case
7. Optional: Collect a Wireshark. This may be requested during troubleshooting. Providing it upfront can reduce the number of log requests.
   • Collect a Wireshark Capture
8. Upload all collected data.

macOS

1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent connection status:
   

   cd /opt/bit9/bin
   ./b9cli --status

2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:

   cd /Applications/Bit9/Tools
   ./b9cli --password 'GlobalCLIPassword'
   ./b9cli --disconnect
   ./b9cli --debuglevel 4
   ./b9cli --nettrace 1
   ./b9cli --connect
   ./b9cli --status
   

3. In the returned output, locate: Server Information > Server and note the address
   • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
4. Set the Debug Levels back to the defaults and collect the logs:

   ./b9cli --debuglevel 0
   ./b9cli --kerneltrace 2
   ./b9cli --nettrace 0
   sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip

5. Collect the System Logs::

   system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
   

6. Upload all captured logs  and update the existing Support Case.

Linux

1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent is running and has a Server listed:

   cd /opt/bit9/bin
   ./b9cli --status
   

   • If no Server is listed, the install was missing the server.conf file, and should be re-installed.
     • Manually Uninstall a Disconnected Linux Agent
   • If the Agent is not running, start it
     • Start and Stop The Agent Via Local Command Line / Terminal
2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:

   ./b9cli --password GlobalCLIPassword
   ./b9cli --disconnect
   ./b9cli --debuglevel 4
   ./b9cli --kerneltrace 4
   ./b9cli --nettrace 1
   ./b9cli --connect
   ./b9cli --healthcheck
   ./b9cli --status
   

3. In the returned output, locate: Server Information > Server and note the address
   • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
4. Attempt communication between the endpoint and the Server Address by running the commands:

   ping <SERVERADDRESS>
   nslookup <SERVERADDRESS>
   telnet <SERVERADDRESS> <SERVERPORT>

   Note: If the Telnet utility is unavailable the timeout utility (part of the coreutils package) could be used instead:

   timeout 1 bash -c "</dev/tcp/ServerAddressHere/41002"
   echo $?
   

   An exit status of "0" indicates the Server Address is responding on the port specified (41002).
5. Set the Debug Levels back to the defaults and collect the logs:

   ./b9cli --debuglevel 0
   ./b9cli --kerneltrace 2
   ./b9cli --nettrace 0
   sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip

6. Collect the System Logs::

   sudo tar cvfz /var/tmp/SystemLogs.tgz /v

7. Upload all collected data.