How to Collect Diagnostic Logs for Sensor Performance-Related Issues (Windows)
search cancel

How to Collect Diagnostic Logs for Sensor Performance-Related Issues (Windows)

book

Article ID: 285741

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To collect relevant logs on a Microsoft Window endpoint in order to troubleshoot most performance-related issues. Typical issues may include:
  • General system performance issues
  • High CPU/Memory of EDR process
  • High CPU/Memory of third-party applications

Environment

  • EDR Sensor: 6.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Log onto the Windows endpoint exhibiting performance issues. 
  2. If necessary, disable CB Tamper Protect: Disable/Enable Tamper Protection
  3. Enable verbose logging (optional): Enable Verbose Debug Logging Locally on Windows Sensor
  4. Required:
    1. For performance with another application. Collect a Procmon Capture
    2. For Boot/Login performance issues: EDR: How to collect a Procmon for Boot/Login Sensor Performance
    3. For High CPU issues: Collect a Windows Performance Recorder Trace
    4. For High Memory Issues: EDR: How to Create a Memory Dump during High Memory Usage Troubleshooting (Windows)
  5. Generate a Windows sensor report: Gather logs for Windows Sensor version 6.2.2+
  6. Disable verbose logging (if previously enabled)
  7. Attach all files to the support case.
  8. Update your Carbon Black Technical Support case with further relevant information:
- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it? 
(For example, were any backups, updates, or large file transfers being performed?)

- How many endpoints are affected? What are their general system profiles and function? 

- What other security applications/real-time scanners are installed?

- How long do the performance issues last? 

- What actions, if any, return the system performance to normal?

- Is the endpoint connected to any network shares? 

- Does this endpoint generate a large number of logs, binaries, or PDF reports?

Additional Information

  • Not all logs above may be required to troubleshoot every performance-related issue.