To collect logs to troubleshoot a disconnected App Control agent.

• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions
• macOS: All Supported Versions
• Linux: All Supported Versions

Windows

1. On the disconnected endpoint, start a Network Trace using Netsh from Command Line as an Admin:

   netsh trace start capture=yes tracefile=%userprofile%\Desktop\Agent-Trace.etl persistent=yes

   • Alternately, start a Wireshark capture from the endpoint if available.
2. In the administrative command prompt, issue the following commands:

   cd "C:\Program Files (x86)\Bit9\Parity Agent"
   dascli password GlobalPassword
   dascli disconnect
   dascli setconfigprop max_rolling_trace_size_mb=500
   dascli setconfigprop max_rolled_trace_logs_to_keep=4
   dascli debuglevel 7
   dascli nettrace 1
   dascli connect
   dascli server

3. In the returned output, note the Server Address and Port, example:

   Current sever: appcontrol.domain.com:41002

   • The Agent will attempt to resolve the Server Address.
   • All commands for connectivity should be attempted against the Server Address returned.
4. Use PowerShell to issue the following commands, substituting the relevant Server Address as returned by the Agent:

   Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTests.txt"
   Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTests.txt"
   

5. In the administrative command prompt, issue the following commands and screenshot the results:

   netstat -ano | findstr "41002"
   nslookup <ServerAddress>
   ping <ServerAddress>
   tracert <ServerAddress>
   
   C:\Windows\SysWOW64\netsh.exe winhttp show proxy
      (for XP/Server 2003 use: proxycfg)
   

6. In the administrative command prompt, capture logs and reset Debug Levels:

   dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
   dascli password GlobalPassword
   dascli debuglevel 0
   dascli nettrace 0
   dascli setconfigprop max_rolling_trace_size_mb=50
   dascli setconfigprop max_rolled_trace_logs_to_keep=0

7. Stop the Network trace from Command Line (or stop the Wireshark capture):

   netsh trace stop

   • Wait at least 2 minutes for the ETL trace file to finalize
   • Compress the ETL file (or PCAP if using Wireshark).
8. Once the upload has completed, provide an update on the existing Support Case

macOS

1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent connection status:
   

   cd /opt/bit9/bin
   ./b9cli --status

2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:

   cd /Applications/Bit9/Tools
   ./b9cli --password 'GlobalCLIPassword'
   ./b9cli --disconnect
   ./b9cli --setconfigprop max_rolling_trace_size_mb=500
   ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
   ./b9cli --debuglevel 4
   ./b9cli --nettrace 1
   ./b9cli --connect
   ./b9cli --status
   

3. In the returned output, locate: Server Information > Server and note the address
   • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
4. Set the Debug Levels back to the defaults and collect the logs:

   ./b9cli --debuglevel 0
   ./b9cli --kerneltrace 2
   ./b9cli --nettrace 0
   sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
   ./b9cli --setconfigprop max_rolling_trace_size_mb=50
   ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0

5. Collect the System Logs::

   system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
   

6. Upload all captured logs  and update the existing Support Case.

Linux

1. 1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent is running and has a Server listed:

      cd /opt/bit9/bin
      ./b9cli --status
      

      • If no Server is listed, the install was missing the server.conf file and the Agent will need uninstalled via Rescue Mode before reinstalling.
      • If the Agent is not running, follow the steps to start it manually.
   2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:

      ./b9cli --password GlobalCLIPassword
      ./b9cli --disconnect
      ./b9cli --setconfigprop max_rolling_trace_size_mb=500
      ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
      ./b9cli --debuglevel 4
      ./b9cli --kerneltrace 4
      ./b9cli --nettrace 1
      ./b9cli --connect
      ./b9cli --healthcheck
      ./b9cli --status
      

   3. In the returned output, locate: Server Information > Server and note the address
      • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
   4. Attempt communication between the endpoint and the Server Address by running the commands:

      ping <SERVERADDRESS>
      nslookup <SERVERADDRESS>
      telnet <SERVERADDRESS> <SERVERPORT>

      Note: If the Telnet utility is unavailable the timeout utility (part of the coreutils package) could be used instead:

      timeout 1 bash -c "</dev/tcp/ServerAddressHere/41002"
      echo $?
      

      An exit status of "0" indicates the Server Address is responding on the port specified (41002).
   5. Set the Debug Levels back to the defaults and collect the logs:

      ./b9cli --debuglevel 0
      ./b9cli --kerneltrace 2
      ./b9cli --nettrace 0
      sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
      ./b9cli --setconfigprop max_rolling_trace_size_mb=50
      ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0

   6. Collect the System Logs::

      sudo tar cvfz /var/tmp/SystemLogs.tgz /v

   7. Upload all collected data.