EDR: How to Gather Trace Logs to Troubleshoot Mac Sensor
search cancel

EDR: How to Gather Trace Logs to Troubleshoot Mac Sensor

book

Article ID: 287325

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Gather trace logging of file system and network operations (similar to Process Monitor logging) on Macs for Sensor troubleshooting

Environment

  • EDR: All supported Mac sensor versions
  • Hosted EDR: All supported Mac sensor versions
    • Mac OS: All supported versions

Resolution

To gather a full data set
  1. Open Terminal on the affected machine
  2. To begin logging, enter the following command
    sudo fs_usage -w > /Users/user/desktop/trace.csv
  3. Recreate the issue
  4. Enter Ctrl + C in Terminal to stop logging and save the file
  5. Upload the saved file directly to support case if less than 25 MB; if larger, please upload to CB Vault  
To gather a more narrow data set if requested by Support
  • Gather only network operations
sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv
  • Gather only file system operations  
    sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv   
    
Exclude specific processes by adding "-e" option and specifying process names or pids  
sudo fs_usage -w -e mdworker > /Users/user/desktop/trace.csv
  • Include only listed processes by adding a PID or process name to any of the above commands as needed (multiple PIDs or process names can be specified)  
    
     
    sudo fs_usage -w CbOsxSensorService > /Users/user/desktop/CbOsxSensorService.csv
    
    or 
    
    sudo fs_usage -w -f filesys CbOsxSensorService > /Users/user/desktop/CbOsxSensorService.csv
    
    or 
    
    sudo fs_usage -w CbOsxSensorService python bash > /Users/user/desktop/CbOsxSensorService.csv

Additional Information

  • The fs_usage command requires authentication as an administrator

  • The "-w" option gathers more detailed output and doesn't truncate data to fit the Terminal window

  • The output file can be saved as either as either a .csv or .txt document