EDR: How to Enable Logging for VDI SensorID Lookup
search cancel

EDR: How to Enable Logging for VDI SensorID Lookup

book

Article ID: 291127

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To enable debug logging for the NewRegistrationCallback class which, by default, handles the sensor ID lookup.

Environment

  • EDR: All Supported Versions

Resolution

  1. Backup the /etc/cb/sensorservices-logger.conf file. (optional)
  2. Edit /etc/cb/sensorservices-logger.conf.
  3. Add "cb.sensor" to the end of the comma-separated [loggers] configuration: 
[loggers] 
keys=root, gunicorn.access, cb.sensor
  1. Append a new "logger" section at the end of the file: 
[logger_cb.sensor]
level=DEBUG 
handlers=debug_syslog 
propagate=0 
qualname=cb.sensor 
  1. Save all changes to the file.
  2. Verify that the changes were effective:
# grep logger /var/log/cb/sensorservices/debug.log

 

Additional Information

  • Restarting the EDR server or cluster is unnecessary. 
  • The new config will become active within ~15 seconds. 
  • The resulting log messages are recorded to /var/log/cb/sensorservices/debug.log 
  • Sample log file entry: 
2019-01-02 10:45:33 [12625] <warning> cb.utils.cb_logging - Detected new logger config, '/etc/cb/sensorservices-logger.conf'. reloading...
  • Sample successful VDI sensor registration entry: 
2019-01-02 10:45:55 [12626] <debug> cb.sensor.engine - Found sensor id [2] for hostname [DESKTOP-1H8OD3S @ DESKTOP-1H8OD3S] 
2019-01-02 10:45:55 [12626] <info> cb.sensor.engine - Correlated sensor registration for sensor 2 using NewRegistrationCallback
  • To revert back to the original configuration, replace the modified sensorservices-logger.conf file with the backup. This will require a restart of the EDR services. 
  • These debug messages have minimal impact on the system. It's generally safe to let this debug logging run for an extended period of time. 
Powered by Wolken Software