Gathering Trace Logs to Troubleshoot macOS Sensor
Article ID: 287325
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Gather trace logging of file system and network operations (similar to Process Monitor logging) for macOS Sensor troubleshooting
Environment
- EDR Sensor: All supported versions
- macOS: All supported versions
Resolution
To gather a full data set
- Open Terminal on the affected machine
- To begin logging, enter the following command
sudo fs_usage -w > /Users/user/desktop/trace.csv
- Recreate the issue
- Enter Ctrl + C in Terminal to stop logging and save the file
- If necessary, upload the saved file directly to the tech support case.
To gather a more narrow data set if requested by Support
- Gather only network operations
sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv
- Gather only file system operations
sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv
Exclude specific processes by adding "-e" option and specifying process names or pids
sudo fs_usage -w -e mdworker > /Users/user/desktop/trace.csv
- Include only listed processes by adding a PID or process name to any of the above commands as needed (multiple PIDs or process names can be specified)
sudo fs_usage -w CbOsxSensorService > /Users/user/desktop/CbOsxSensorService.csv or sudo fs_usage -w -f filesys CbOsxSensorService > /Users/user/desktop/CbOsxSensorService.csv or sudo fs_usage -w CbOsxSensorService python bash > /Users/user/desktop/CbOsxSensorService.csv
Additional Information
-
The fs_usage command requires authentication as an administrator
-
The "-w" option gathers more detailed output and doesn't truncate data to fit the Terminal window
-
The output file can be saved as either as either a .csv or .txt document
Feedback
Yes
No
Powered by
