Collect Carbon Black Cloud Sensor Logs Using Live Response
search cancel

Collect Carbon Black Cloud Sensor Logs Using Live Response

book

Article ID: 290010

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Workload Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

Collect Sensor Logs for a remote machine via Live Response

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Linux: All Supported Versions
  • macOS: All Supported Versions

Resolution

Note: Ensure the Sensor you require logs from is online, checking in and in a policy that has Live Response enabled

Windows

  1. Login to the Console
  2. Go to the Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Change Directory to the Sensor's Directory 
    cd C:\Program Files\Confer
  5. Run the command: 
    execfg repcli capture c:\temp -- Change to desired writeable location
  6. You will receive immediate confirmation that the logs are being collected 'collecting diagnostic data (this may take a few minutes)', followed by confirmation that the logs have been captured 'Captured diagnostic data in written to c:\temp\psc_sensor.zip
  7. Run the following command to retrieve and download the captured Sensor Logs to your local machine  
    get c:\temp\psc_sensor.zip -- Change to location specified in previous command
  8. This file will download to whichever directory you have specified to download to (usually 'Downloads')

Linux

  1. Login to the Console
  2. Go to the Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Run the Command: 
    execfg sudo /opt/carbonblack/psc/bin/collectdiags.sh --verbose --debug --output-dir <Destination_Directory>
  5. Script will complete and display file name: 
    diags_{hostname}_{epoch_time}_{random}.tgz
  6. Run the following command to retrieve and download the captured Sensor Logs to your local machine: 
    get <Destination_Directory>/diags_{hostname}_{epoch_time}_{random}.tgz
  7. This file will download to whichever directory you have specified to download to (usually 'Downloads')

macOS

  1. Login to the Console
  2. Go to the Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Run the Command: 
    exec sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>
  5. Run the following command to retrieve and download the captured Sensor Logs to your local machine: 
    get <Destination_Directory>/confer.zip
  6. This file will download to whichever directory you have specified to download to (usually 'Downloads')

Additional Information

If the file does not automatically download, this may be due to your Browser settings, in which case, the file link on the LR screen 'File ready for download' can be clicked, at which point it will either download automatically, or ask where to be saved (again, depending on Web Browser settings)

Powered by Wolken Software