Collect Logs for Troubleshooting a Disconnected Agent
search cancel

Collect Logs for Troubleshooting a Disconnected Agent

book

Article ID: 286683

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To collect logs to troubleshoot a disconnected App Control agent.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

Windows

  1. Optional, but recommended: Begin a Wireshark capture from the endpoint.
    • This may be requested during extended troubleshooting.
    • Providing it upfront may reduce the number of log requests.
  2. On the disconnected endpoint, open an administrative command prompt and issue the following commands:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalPassword
    dascli disconnect
    dascli setconfigprop max_rolling_trace_size_mb=500
    dascli setconfigprop max_rolled_trace_logs_to_keep=4
    dascli debuglevel 7 dascli nettrace 1 dascli connect dascli healthcheck
    dascli server
  3. In the returned output, note the Server Address and Port, example:
    Current sever: appcontrol.domain.com:41002
    • The Agent will attempt to resolve the Server Address.
    • All commands for connectivity should be attempted against the Server Address returned.
  4. Issue the following commands, substituting the relevant Server Address as returned by the Agent:
    netstat -ano | findstr "41002"
    nslookup <ServerAddress>
    ping <ServerAddress>
    tracert <ServerAddress>
    C:\Windows\SysWOW64\netsh.exe winhttp show proxy
       (for XP/Server 2003 use: proxycfg)
    
  5. Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\
    Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
    Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
    
  6. In the administrative command prompt issue the following commands:
    dascli password GlobalPassword
    dascli debuglevel 0
    dascli nettrace 0
    dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
    dascli setconfigprop max_rolling_trace_size_mb=50
    dascli setconfigprop max_rolled_trace_logs_to_keep=0
  7. If a Wireshark capture was started, be sure to provide the relevant pcap as well.
  8. Once the upload has completed, provide an update on the existing Support Case

macOS

  1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent connection status:
    cd /opt/bit9/bin
    ./b9cli --status
  2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
    cd /Applications/Bit9/Tools
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --disconnect
    ./b9cli --setconfigprop max_rolling_trace_size_mb=500
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
    ./b9cli --debuglevel 4 ./b9cli --nettrace 1 ./b9cli --connect ./b9cli --status
  3. In the returned output, locate: Server Information > Server and note the address
    • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
  4. Set the Debug Levels back to the defaults and collect the logs:
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
    ./b9cli --setconfigprop max_rolling_trace_size_mb=50
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0
  5. Collect the System Logs::
    system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
    
  6. Upload all captured logs  and update the existing Support Case.

Linux

  1. On the disconnected endpoint use Terminal to issue the following commands to verify the Agent is running and has a Server listed:
    cd /opt/bit9/bin
    ./b9cli --status
    
  2. If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
    ./b9cli --password GlobalCLIPassword
    ./b9cli --disconnect
    ./b9cli --setconfigprop max_rolling_trace_size_mb=500
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=4
    ./b9cli --debuglevel 4 ./b9cli --kerneltrace 4 ./b9cli --nettrace 1 ./b9cli --connect ./b9cli --healthcheck ./b9cli --status
  3. In the returned output, locate: Server Information > Server and note the address
    • Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
  4. Attempt communication between the endpoint and the Server Address by running the commands:
    ping <SERVERADDRESS>
    nslookup <SERVERADDRESS>
    telnet <SERVERADDRESS> <SERVERPORT>
    Note: If the Telnet utility is unavailable the timeout utility (part of the coreutils package) could be used instead:
    timeout 1 bash -c "</dev/tcp/ServerAddressHere/41002"
    echo $?
    
    An exit status of "0" indicates the Server Address is responding on the port specified (41002).
  5. Set the Debug Levels back to the defaults and collect the logs:
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
    ./b9cli --setconfigprop max_rolling_trace_size_mb=50
    ./b9cli --setconfigprop max_rolled_trace_logs_to_keep=0
  6. Collect the System Logs::
    sudo tar cvfz /var/tmp/SystemLogs.tgz /v
  7. Upload all collected data.