CB Defense: How to Gather Trace Logs to Troubleshoot Mac Sensor
Article ID: 288920
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Gather trace logging of file system and network operations (similar to Process Monitor logging) on Macs for Sensor troubleshooting
Environment
- CB Defense PSC Sensor: All versions
- Apple macOS: All supported versions
Resolution
To gather a full data set
- Open Terminal on the affected machine
- To begin logging, enter the following command
sudo fs_usage -w > /Users/user/desktop/trace.csv
- Recreate the issue
- Enter Ctrl + C in Terminal to stop logging and save the file
- Upload the saved file directly to support case if less than 25 MB; if larger, please upload to CB Vault
- Gather only network operations
sudo fs_usage -w -f network > /Users/user/desktop/network.csv
- Gather only file system operations
sudo fs_usage -w -f filesys > /Users/user/desktop/filesys.csv
- Exclude specific processes by adding "-e" option and specifying process names or pids
sudo fs_usage -w -e mdworker > /Users/user/desktop/trace.csv
- Include only listed processes by adding a PID or process name to any of the above commands as needed (multiple PIDs or process names can be specified)
sudo fs_usage -w repmgr > /Users/user/desktop/repmgr.csv or sudo fs_usage -w -f filesys repmgr > /Users/user/desktop/repmgr.csv or sudo fs_usage -w repmgr python bash > /Users/user/desktop/repmgr.csv
Additional Information
- The fs_usage command requires authentication as an administrator
- The "-w" option gathers more detailed output and doesn't truncate data to fit the Terminal window
- The output file can be saved as either as either a .csv or .txt document
Feedback
Yes
No
Powered by
