EDR Sensor: How to Enable Debugging for LiveQuery
search cancel

EDR Sensor: How to Enable Debugging for LiveQuery

book

Article ID: 287386

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • How can debug logging be enabled for LiveQuery?

Environment

  • EDR Windows Sensor: 7.1.0 and Higher
  • EDR Server: 7.2.0 and Higher

Resolution

  • On the sensor that needs troubleshooting, enable debug logging to at least a '5'.  Please run the following commands:
reg add HKLM\Software\CarbonBlack\config -v MaxDebugLogSize -t REG_DWORD -d 1000000000 -f

reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 5 -f 

sc control carbonblack 203
  • Once done, re-run the LiveQuery command and then pull a new sensordiag.  The changes will be denoted by debuglevel in the Sensor.log.  OsQuery items should now be showing up as queries are ran.

Additional Information

  • Verbosity can be increased to avoid missing items by changing the -d <log level> number in the command above.  Examples, below:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 6 -f
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7 -f

 
Powered by Wolken Software