Collect Logs for Troubleshooting a Disconnected Agent
book
Article ID: 286683
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
To collect logs to troubleshoot a disconnected App Control agent.
Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
- macOS: All Supported Versions
- Linux: All Supported Versions
Resolution
Windows
- On the disconnected endpoint, open an administrative command prompt and issue the following commands:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli disconnect
dascli debuglevel 6
dascli nettrace 1
dascli connect
dascli healthcheck
dascli status
- In the returned output, locate: Server Information > Server and note the address
- Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
- Issue the following commands:
netstat -ano | findstr "41002"
nslookup <ServerAddress>
ping <ServerAddress>
tracert <ServerAddress>
netsh winhttp show proxy
(for XP/Server 2003 use: proxycfg)
- Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\
Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
- In the administrative command prompt issue the following commands:
dascli password GlobalPassword
dascli debuglevel 0
dascli nettrace 0
dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
- Once the upload has completed, provide an update on the existing Support Case
- Optional: Collect a Wireshark. This may be requested during troubleshooting. Providing it upfront can reduce the number of log requests.
- Upload all collected data.
macOS
- On the disconnected endpoint use Terminal to issue the following commands to verify the Agent connection status:
cd /opt/bit9/bin
./b9cli --status
- If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
cd /Applications/Bit9/Tools
./b9cli --password 'GlobalCLIPassword'
./b9cli --disconnect
./b9cli --debuglevel 4
./b9cli --nettrace 1
./b9cli --connect
./b9cli --status
- In the returned output, locate: Server Information > Server and note the address
- Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
- Set the Debug Levels back to the defaults and collect the logs:
./b9cli --debuglevel 0
./b9cli --kerneltrace 2
./b9cli --nettrace 0
sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
- Collect the System Logs::
system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
- Upload all captured logs and update the existing Support Case.
Linux
- On the disconnected endpoint use Terminal to issue the following commands to verify the Agent is running and has a Server listed:
cd /opt/bit9/bin
./b9cli --status
- If no Server is listed, the install was missing the server.conf file, and should be re-installed.
- If the Agent is not running, start it
- If the Agent is fully running and otherwise healthy: authenticate with the Agent and issue the following commands:
./b9cli --password GlobalCLIPassword
./b9cli --disconnect
./b9cli --debuglevel 4
./b9cli --kerneltrace 4
./b9cli --nettrace 1
./b9cli --connect
./b9cli --healthcheck
./b9cli --status
- In the returned output, locate: Server Information > Server and note the address
- Example: "appserver.domain.com:41002" means the Server Address is appserver.domain.com
- Attempt communication between the endpoint and the Server Address by running the commands:
ping <SERVERADDRESS>
nslookup <SERVERADDRESS>
telnet <SERVERADDRESS> <SERVERPORT>
Note: If the Telnet utility is unavailable the timeout utility (part of the coreutils package) could be used instead:
timeout 1 bash -c "</dev/tcp/ServerAddressHere/41002"
echo $?
An exit status of "0" indicates the Server Address is responding on the port specified (41002).
- Set the Debug Levels back to the defaults and collect the logs:
./b9cli --debuglevel 0
./b9cli --kerneltrace 2
./b9cli --nettrace 0
sudo ./b9cli --capture /var/tmp/DisconnectedAgentLogs.zip
- Collect the System Logs::
sudo tar cvfz /var/tmp/SystemLogs.tgz /v
- Upload all collected data.
Feedback
thumb_up
Yes
thumb_down
No