How To Collect Sensor Logs Locally (Windows)
Article ID: 292181
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Describe the steps needed to collect the CBC Sensor logs from a Windows device locally
Environment
- Carbon Black Cloud Sensor: 2.1.x.x -3.3.x (formerly CB Defense)
- Carbon Black Cloud Sensor: 3.3.x.x and Higher
- Microsoft Windows: All Supported Versions
Resolution
3.6.x.x and Higher
For Sensor Versions Pre-3.3.x.x
$#%This method should only be used upon request from a Carbon Black representative$#%
For Sensor Versions 3.3.x.x and Higher (RepCLI Command Utility)
3.3.x.x thru 3.5.x.x
- Log into the desired device (either directly or via RDP)
- Open a Command line from the Confer Directory 'C:\Program Files\Confer'
- Run the following command 'repcli capture'
C:\Program Files\Confer>repcli capture <LocalOutputPath> Example repcli capture C:\Users\%USERNAME%\Desktop
- Follow the on-screen prompts that show you where the now zipped sensor log file is located
Collecting diagnostic data (this may take a few minutes)... .... Captured diagnostic data in <LocalOutputPath>\psc_sensor.zip
- Rename the zip file to match the name of the device
- Upload the file via https://community.carbonblack.com/groups/cb-vault or upload link provided by Support
For Sensor Versions Pre-3.3.x.x
$#%This method should only be used upon request from a Carbon Black representative$#%
- Log into the desired device (either directly or via RDP)
- Right click cmd.exe
- Click "Run as Administrator"
- Run the following command:
sc query cbdefense
- If the sensor is installed, you will receive a readout of it's current status
- If the sensor is not installed, you will receive an error
- If the sensor is installed, run
sc control cbdefense 128
- Collect the resulting confer_dump.zip file from C:\windows\temp\confer-temp
- Rename the zip file to match the name of the device
- Upload the file via https://community.carbonblack.com/groups/cb-vault or Smartfile link provided by Support
For Sensor Versions 3.3.x.x and Higher (RepCLI Command Utility)
3.3.x.x thru 3.5.x.x
- Log into the desired device (either directly or via RDP)
- Open a Command line from the Confer Directory 'C:\Program Files\Confer'
- Run the following command 'repcli capture'
C:\Program Files\Confer>repcli capture
- Follow the on-screen prompts that show you where the now zipped sensor log file is located
- Rename the zip file to match the name of the device
- Upload the file via https://community.carbonblack.com/groups/cb-vault or Smartfile link provided by Support
Additional Information
- Zip file name example: SampleMachineName_confer_dump.zip
- Commands to execute step 3 in powershell:
cmd.exe /c "sc control cbdefense 128"
.\RepCLI.exe capture
- If repcli capture cannot be used in sensor 3.6 and above, please see Carbon Black Cloud: Where are the sensor logs in Windows Sensor 3.6 and above? and Carbon Black Cloud: Unable to save the Windows Sensor logs on 3.6 and above
Feedback
Yes
No
Powered by
