EDR: How to configure on-demand cbdiag reports for on-prem servers
book
Article ID: 288091
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
To enable on-demand cbdiag reports for an on-prem EDR server that the VMWare Carbon Black Support team can directly request.
Resolution
- Log into the EDR web interface.
- In the upper-right corner, click [username] > Sharing Settings
- Enable (check) the box to "Allow Unattended Background Upload of Diagnostics Data"
Additional Information
- This will enable the VMware Carbon Black Support team to remotely request a cbdiag report for diagnostic purposes.
- The resulting cbdiag files will be generated in /tmp by default.
- VMware Carbon Black recommends a minimum of 2 GB of available space. Servers with large numbers of endpoints may require more space.
- The directory to save the cbdiags can be edited in /etc/cb/cb.conf with the CbDiagTmpDir=/var/cb/data parameter.
- "Allow Unattended Background Upload of Diagnostics Data" requires the "Enable Performance Statistics" option be enabled.
- The API method to enable this feature uses a POST to /api/communication_settings with a payload of {"ondemand_diagnostics":true}.
- A cron job runs on each server every 5 minutes to look for new cbdiag reports to send them to VMware Carbon Black.
- Each EDR server has a server token used to identify it. The token is located at /etc/cb/server.token.
Feedback
thumb_up
Yes
thumb_down
No