CB Response: How to Collect Sensor Event or Store Logs (Windows)
search cancel

CB Response: How to Collect Sensor Event or Store Logs (Windows)

book

Article ID: 287930

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Collecting Sensor event or binary store logs that get set up to the server

Environment

Carbon Black Sensor: All Versions
Microsoft Windows: All Supported Versions

Resolution

  1. In the console, sync the example sensor
  2. On the sensor itself, force a check-in to force the sync 
    sc control carbonblack 200
  3. Stop the sensor services. Interrogate will confirm services are stopped 
    sc stop carbonblack
sc stop carbonblackk
sc interrogate carbonblack
  4. Modify the registry to point to a nonexistent server. (Note the current value to replace in step 10). See Additional Notes for other options 
    Master server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Carbonblackk\SensorBackendServer

Submission Server:
Binary or Eventlog upload server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Carbonblackk\DataServer
  5. Start the sensor service to start capturing 
    sc start carbonblack
  6. Reproduce the event log issue
  7. Dump a diagnostics file immediately after reproduction 
    sc control carbonblack 201
  8. Stop the sensor services again 
    sc stop carbonblack
sc stop carbonblackk
sc interrogate carbonblack
  9. Copy the following directories to a folder outside of C:\Windows\CarbonBlack 
    C:\Windows\CarbonBlack\Eventlogs
C:\Windows\CarbonBlack\store\catalog
C:\Windows\CarbonBlack\Diagnostics
  10. Revert the registry changes from step 4 to allow the sensor to connect back up to the server
  11. Start the sensor service again 
    sc start carbonblack
  12. Please zip up the collected contents and upload to the case via the cbvault link. 

Additional Information

There are other options to the registry change. The sensor needs to be disconnected from the server in order to keep the event logs
  • Modify C:\Windows\System32\Drivers\etc\hosts file not point to the server
  • Add a firewall restriction on the endpoint to the server
  • Disable the network on the endpoint
  • Stop the servers cb-nginx service. This will affect all sensors submitting for that short period of time. This would need to be on Master and Minions 
    service cb-nginx stop
Powered by Wolken Software