All Products: Enable CAPI 2 Logging
search cancel

All Products: Enable CAPI 2 Logging


Article ID: 290177


Updated On:


Carbon Black App Control (formerly Cb Protection) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black EDR (formerly Cb Response)


Enabling CAPI2 Windows Logging


Microsoft Windows: All Supported Versions


Enable CAPI2 Logging:
  1. Open the computer management console by entering in the Start->Run box:  compmgmt.msc /s
  2. From the console object tree (left side) expand Event Viewer -> Windows Logs -> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 select Operational.
  3. From the actions section (on the right pane), select "Enable log".  (if logging is already enabled, you will only see "Disable log" in actions section)
  4. If logging was already enabled, and you have already reproduced the issue, proceed to save existing logs
  5. If logging was not enabled previously, reproduce the issue you are encountering.  If encountering a sensor/agent communication issue, wait 5 minutes and then save logs.  Sensor/agent communications retries will happen within 5 minute interval.    
Save and Disable CAPI2 Logging:Save and disable the CAPI2 logs:
  1. In Event Viewer, right click "Operational"
  2. Select "Save All Events As"
  3. Fill in name, save as type: Event Files (.evtx)
  4. Select "Display information for these languages"
  5. Select "English"
  6. Click "Ok"
  7. (optional, if it was disabled previously)  Right click "Operational" and choose "disable log"