Collect Historical Carbon Black Cloud Sensor Logs
search cancel

Collect Historical Carbon Black Cloud Sensor Logs

book

Article ID: 292322

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

This guide details the methods for retrieving historical logs from a Carbon Black Cloud endpoint. It covers both local collection and remote extraction using Live Response.

Environment

  • Carbon Black Cloud Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

Table of Contents

Microsoft Windows

Locally

Agent Version 4.2+

Carbon Black Cloud now uses SymDiag. See Download SymDiag v3 to detect product issues

Agent Version 4.1 or below

  1. Open an administrative command prompt
  2. Run the commands:
    cd "C:\Program Files\Confer"
repcli capture <LocalOutputPath>
-- Example: repcli capture C:\Users\%USERNAME%\Desktop

Remotely Via Live Response

Agent Version 4.2+

Carbon Black Cloud now uses SymDiag.

  1. Download SymDiag V3 to your local machine
  2. Login to the Carbon Black Cloud Console
  3. Navigate to the Inventory > Endpoints Page
  4. Click on the 'Go Live' icon (>_) to enable a Live Response session
  5. Change directory to where you want SymDiag to be used. Ex:
    mkdir c:\temp\SymDiag
cd c:\temp\SymDiag
  6. Send SymDiag from your local machine to the remote machine
    put c:\temp\SymDiag
  7. Run SymDiag:
    execfg SymDiagWin sd-s sd-base C:\temp\SymDiag sd-dest --dir "C:\temp\SymDiag" sd-log log
  8. Once complete a file named <DeviceName>__<Year-Month-Day__Hour-Minute-Second>>.sdz3 will be created.
  9. Retrieve and download the logs to your local machine
    get <filename>.sdz3
  10. The file will download to whichever directory you have specified to download to (usually 'Downloads').
  11. To open with SymDiag Viewer v3 the file it would need to be renamed again to have the .sdz3 extension.

Agent Version 4.1 or below

  1. Login to the Carbon Black Cloud Console
  2. Navigate to the Inventory > Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Change Directory to the Sensor's Directory
    cd C:\Program Files\Confer
  5. Run the command:
    execfg repcli capture c:\temp -- Change to desired writeable location
  6. You will receive immediate confirmation that the logs are being collected 'collecting diagnostic data (this may take a few minutes)', followed by confirmation that the logs have been captured 'Captured diagnostic data in written to c:\temp\psc_sensor.zip
  7. Retrieve and download the logs to your local machine 
    get c:\temp\psc_sensor.zip -- Change to location specified in previous command
  8. The file will download to whichever directory you have specified to download to (usually 'Downloads')

Linux

Locally

  1. Launch preferred terminal emulator
  2. Run log collect command to output to existing directory:
    sudo /opt/carbonblack/psc/bin/collectdiags.sh --verbose --debug --output-dir <Destination_Directory>

Remotely Via Live Response

  1. Login to the Carbon Black Cloud Console
  2. Navigate to the Inventory > Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Run the Command:
    execfg sudo /opt/carbonblack/psc/bin/collectdiags.sh --verbose --debug --output-dir <Destination_Directory>
  5. Script will complete and display file name:
    diags_{hostname}_{epoch_time}_{random}.tgz
  6. Retrieve and download the logs to your local machine:
    get <Destination_Directory>/diags_{hostname}_{epoch_time}_{random}.tgz
  7. The file will download to whichever directory you have specified to download to (usually 'Downloads')

macOS

Locally

  1. Launch preferred terminal emulator
  2. Run log collect command to output to existing directory:
    sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>

Remotely Via Live Response

  1. Login to the Carbon Black Cloud Console
  2. Navigate to the Inventory > Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Run the Command:
    execfg sudo "/Applications/VMware Carbon Black Cloud/repcli.bundle/Contents/MacOS/repcli" capture <GlobalDeregistrationCode> <DestinationDirectory>
  5. Retrieve and download the logs to your local machine:
    get <Destination_Directory>/confer.zip
  6. The file will download to whichever directory you have specified to download to (usually 'Downloads')

Additional Information

If the file does not automatically download using Live Response, this may be due:

  • Browser settings, in which case, the file link on the LR screen 'File ready for download' can be clicked, at which point it will either download automatically, or ask where to be saved (again, depending on Web Browser settings)
  • Live Response firewall rules missing
Powered by Wolken Software