App Control: How to Set Automatic Agent Log Capture (Locally)
search cancel

App Control: How to Set Automatic Agent Log Capture (Locally)

book

Article ID: 288353

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To setup automatic high debug logging on an Agent for issues that cannot be reproduced on demand.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Login to the endpoint in question and from an administrative command prompt issue:
    dascli password GlobalCLIPassword
    dascli flushlogs
    dascli resetcounters
    dascli debuglevel 6
    dascli kerneltrace 4 -1
    dascli setconfigprop max_rolling_trace_size_mb=500
    dascli setconfigprop max_rolled_trace_logs_to_keep=20
    dascli kernelconfig verboselogpattern "<PathToFileOrPathBeingBlocked"
    dascli setconfigprop capture_log_on_matching_event=subtype=<SubtypeIDOfEvent>,filename=<PathToFileOrPathBeingBlocked>
  2. Once the Agent generates an Event matching the scenario:
    • Agent logs will automatically be captured and uploaded to the Server.
    • An Event will be generated with the Subtype: Agent Diagnostics Available.
  3. Download the Agent Logs from the Console > Tools > Requested Files > Diagnostic Files.
  4. Upload the Agent Logs to the Vault and update the Case accordingly.
  5. After logging is complete, return the Logging to normal and clear the Config:
    dascli password GlobalCLIPassword
    dascli setconfigprop capture_log_on_matching_event=
    dascli kerneltrace 2
    dascli debuglevel 0

Additional Information

  • capture_log_on_matching_event is a Kernel Configuration Property that will trigger the capture of Agent Diagnostic Logs based on the Event Subtype and optional additional criteria.
  • There is a built in delay of 5 seconds after the Event to capture possible following activity.
  • There is a built in dwell time of 15 minutes. The auto log capture will not trigger until 15 minutes after the last auto log capture.
  • There is a limit of 10 auto log captures. No auto captures will occur until there are less than 10 captures in the logs directory.
  • The 15 minute dwell time and 10 capture maximum are to stop poorly defined event criteria from generating large numbers of logs.
  • Setting the property to an empty string disables auto-logging.
  • A list of available Event Subtype IDs can be found on VMware Docs > Server Documentation > Events Guide.