Collecting Agent Logs for Rules Not Working (Windows)
search cancel

Collecting Agent Logs for Rules Not Working (Windows)

book

Article ID: 290714

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to collect Agent diagnostics for unexpected Custom Rule behavior.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. For rules that are User/Group specific: Log in as that user for the reproduction. As well, run this command as the user and provide the output to the case 
    whoami /user /groups > "%userprofile%\Desktop\whoami.txt"
  2. Launch an administrative command prompt and issue the following commands: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
    dascli setconfigprop max_rolling_trace_size_mb=0
     dascli flushlogs
dascli resetcounters
dascli debuglevel 6
dascli kerneltrace 4 -1   (Note: Space between the 4 and the dash -)
dascli setconfigprop kernelVerboseLogPattern=*<filenameorpathhere>* (Example: dascli setconfigprop kernelVerboseLogPattern=*blocked.dll*)
sc control parity 128
  3. Reproduce the issue being reported.
  4. Capture the logs and reduce the logging levels: 
    dascli capture "%userprofile%\Desktop\%computername%.zip"
dascli password GlobalCLIPassword
dascli debuglevel 0
dascli kerneltrace 2
    dascli setconfigprop max_rolling_trace_size_mb=50
    dascli setconfigprop kernelVerboseLogPattern=""
  5. Collect a CSV export of the Events reported by the Agent to in the Console by going to: Reports > Events.
    • Set the Saved View & Group By to (none)
    • Set the Max Age accordingly.
    • Be sure the Columns: Installer, Process, Rule Name, and User are included in the Columns.
    • Set the Filter to the relevant Source (Computer).
    • Click Export to CSV.
  6. Capture a full screenshot of the entire Custom Rule, including all fields/sections.
  7. Upload all collected data.

Additional Information

  • The Windows command "sc control parity 128" is only available in command prompt and not in PowerShell, the command will cause the custom rules to re-expand on the agent.
  • If the issue cannot be reproduced this level of detail will not provide the insight required and a separate process for capturing diagnostic information may be required.
Powered by Wolken Software