VMware Carbon Black provides diagnostic tools and scripts for each supported platform. You can easily collect the information most commonly required for troubleshooting.
After gathering the diagnostic file, send it to Red Canary by clicking on your account and choosing Share a File.
Gather diagnostics on Windows
Gather diagnostics for sensor versions 6.2.1 and below
- Obtain the diagnostic tool via the official VMware Carbon Black Community, or have it sent to you by creating a Red Canary support case.
- Gather diagnostics by extracting the package and executing the binary with administrative privileges.
- When prompted, press 0 to begin. It may take up to 10 minutes to complete the process.
Once complete, a new archive will be created in the local folder where you saved the diagnostic tool and will be named after the time of generation, e.g., 2020-09-01_07_23_45.diag.gz
.
Gather diagnostics for sensor versions 6.2.2 and above
Note: .NET 4.5 or higher needs to be installed for this tool to work.
- Open a command prompt as administrator.
- Change the directory to C:\Windows\CarbonBlack
- Run the diagnostic tool by running the following command:
Sensordiag.exe -type CDE
- Collect the output file at C:\Windows\CarbonBlack\Diags\<filename>.zip
Gather diagnostics remotely via a Live Response session
- Open a Live Response session with the endpoint.
- Run the following command:
execfg sensordiag.exe -type CDE
- Navigate to the Diag directory to confirm the presence of the newly generated diagnostic file.
cd Diags
Note: The filename will appear in the following format: YYYY-MM-DD_HH-MM-SS.diag.zip - Download the file to the local machine.
get <name of the diagnostic file that was confirmed in the step above>
Note: The file will be downloaded to the machine of the user that has executed the above commands. Check the downloads directory or the directory that is configured in the browser for where downloaded files are saved to.
Gather diagnostics on Linux
Execute the diagnostic script
- Run the following command in a terminal session as root:
Sensor version 6.1.x
/opt/cbsensor/sensordiag.sh
Sensor version 6.2.x
/opt/carbonblack/response/bin/sensordiag.sh
- When complete, the diagnostic package will be created in the local working directory named as such:
sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.tgz
Gather diagnostics remotely via Live Response
- Open a Live Response session with the endpoint.
- Run the following command for your sensor version:
execfg /opt/carbonblack/response/bin/sensordiag.sh
- Use the
get
command, followed by the .zip file name, to obtain the resulting diagnostic package.get sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.tgz
Gather diagnostics on macOS
Gather diagnostics for sensor versions 6.1.9 and below
-
Navigate to the Carbon Black directory.
- Open the terminal and change to the Carbon Black installation directory:
cd /Applications/CarbonBlack/
- Execute the diagnostic script. The script requires elevated permissions to gather certain files:
sudo ./sensordiag.sh
- The diagnostic package will be created in the current working directory, named using the following convention:
sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.zip
Gather diagnostics for sensor versions 6.2.x-6.3.0
- Navigate to the Carbon Black directory.
- Open the terminal and run the following command:
sudo /Applications/CarbonBlack/sensordiag -type CDE
- Optionally, gather logs from a specified date and later:
sudo /Applications/CarbonBlack/sensordiag -type CDE -startdate 2018-06-29
Gather diagnostics for sensor versions 7.0 and above
Note: Spaces in macOS directory names need to be preceded by a "\".
- Navigate to the Carbon Black directory.
- Open the terminal and run the following command:
sudo /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Helpers/sensordiag -type CDE
- Optionally, gather logs from a specified date and later:
sudo /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Helpers/sensordiag -type CDE -startdate 2018-06-29
The diagnostic package will be created in the current working directory and named using the following convention: sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.zip
Gather diagnostics remotely via Live Response
- Open a Live Response session with the endpoint.
- Run the command for your sensor version. For example:
execfg /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Helpers/sensordiag -type CDE
- Use the
get
command followed by the .zip file name to obtain the resulting diagnostic package. For example:
get ./sensordiag-computer-CDE-2021-05-03_00-00-00_-0600-2021-05-03_16-32-30_-0600.zip
Comments
0 comments
Please sign in to leave a comment.