EDR: How to Collect Diagnostic Logs for Performance Related Issues (Linux)
search cancel

EDR: How to Collect Diagnostic Logs for Performance Related Issues (Linux)

book

Article ID: 288122

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

To collect relevant logs on a Linux endpoint in order to troubleshoot most performance-related issues. Typical issues may include:
  • General system performance issues
  • High CPU/Memory of EDR sensor process
  • High CPU/Memory of third-party applications

Environment

  • EDR Sensor: 6.x and Higher
  • Linux: All Supported Versions

Resolution

  1. Log onto the Linux endpoint exhibiting performance issues.
  2. Gather an strace output for the cbdaemon process.
  3. Generate a Linux endpoint diag report
  4. Upload all log files to CB Vault
  5. Update your VMWare Carbon Black Technical Support case with further relevant information:
- Is this Linux endpoint also serving as an EDR console server (primary or secondary node?)

- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it? 
(For example, were any backups, updates, or large file transfers being performed?)

- How many endpoints are affected? What are their general system profiles and function? 

- What other security applications/real-time scanners are installed? Have these exclusions been applied?
https://docs.vmware.com/en/VMware-Carbon-Black-EDR/services/cb-edr-sensor-install-guide/GUID-4205B17E-DF27-4AD9-AEDA-17BC9088F43F.html

- How long do the performance issues last? 

- What actions, if any, return the system performance to normal?

- Is the endpoint connected to any network shares? 

- Does this endpoint generate a large number of logs, binaries, or PDF reports?

 

Additional Information

EDR Sensor version 7.2.0 contains improvements to memory and CPU performance, reference 'Resolved Issues' section in the release notes: