CB Defense: How to Gather Trace Logs to Troubleshoot Mac Sensor
search cancel

CB Defense: How to Gather Trace Logs to Troubleshoot Mac Sensor

book

Article ID: 288920

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Gather trace logging of file system and network operations (similar to Process Monitor logging) on Macs for Sensor troubleshooting

Environment

  • CB Defense PSC Sensor: All versions
  • Apple macOS:¬†All supported versions

Resolution

To gather a full data set
  1. Open Terminal on the affected machine
  2. To begin logging, enter the following command
    sudo fs_usage -w > /Users/user/desktop/trace.csv
  3. Recreate the issue
  4. Enter Ctrl + C in Terminal to stop logging and save the file
  5. Upload the saved file directly to support case if less than 25 MB; if larger, please upload to CB Vault
To gather a more narrow data set if requested by Support
  • Gather only network operations
    sudo fs_usage -w -f network > /Users/user/desktop/network.csv
  • Gather only file system operations
    sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv
  • Exclude specific processes by adding "-e" option and specifying process names or pids
    sudo fs_usage -w -e mdworker > /Users/user/desktop/trace.csv
  • Include only listed processes by adding a PID or process name to any of the above commands as needed (multiple PIDs or process names can be specified)
    sudo fs_usage -w repmgr > /Users/user/desktop/repmgr.csv
    
    or 
    
    sudo fs_usage -w -f filesys repmgr > /Users/user/desktop/repmgr.csv
    
    or 
    
    sudo fs_usage -w repmgr python bash > /Users/user/desktop/repmgr.csv

Additional Information

  • The fs_usage command requires authentication as an administrator
  • The "-w" option gathers more detailed output and doesn't truncate data to fit the Terminal window
  • The output file can be saved as either as either a .csv or .txt document