VMware Carbon Black provides diagnostic tools and scripts for each supported platform. You can easily collect the information most commonly required for troubleshooting.
After gathering the diagnostic file, send it to Red Canary by clicking on your account and choosing Share a File.
Collecting logs for Windows
For Windows endpoints running sensor version 3.6.x.x and higher
- Log into the desired device (either directly or via RDP).
- Open an elevated command prompt and navigate to the Confer Directory
cd C:\Program Files\Confer
- Run the following command 'repcli capture'.
C:\Program Files\Confer>repcli capture <LocalOutputPath>
Examplerepcli capture C:\Users\%USERNAME%\Desktop
- Follow the on-screen prompts that show where the zipped sensor log is located.
- Rename the zip file to match the name of the device.
- Upload the file to Red Canary via Share a File.
Collecting logs for macOS
For Apple macOS endpoints running sensor version 3.5.x.x and higher
- Launch preferred terminal emulator.
- Run log collection command to output to existing directory (the following command is to be executed on a single line):
sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>
- Collect logs from <Destination_Directory>.
- Rename the file to match the name of the device.
- Upload the file to Red Canary via Share a File.
Collecting logs for Linux
For Linux endpoints running sensor version 2.7.0 and higher
- Open a terminal emulator.
- Navigate to the Carbon Black directory
cd /opt/carbonblack/psc/bin
- Run the collectdiags.sh file that is in the directory:
sudo ./collectdiags.sh
To change the output path for where the logs are sent, execute the following command:sudo ./collectdiags.sh --verbose --debug --output-dir $HOME
- Rename the file to match the name of the device.
- Upload the file to Red Canary via Share a File.
Collecting logs via Live Response
The same steps can be performed via Live Response in the Carbon Black Cloud console.
Note: These instructions assume that Live Response is enabled in the environment. To deter
- Log into your Carbon Black Cloud console.
- Navigate to Inventory > Endpoints
- Locate the endpoint in your inventory. Once the endpoint has been located, look for the Go Live button (it will be an icon that looks like a terminal).
- Click the icon to launch a Live Response session (it can take a few minutes to establish a connection as the request will be granted upon the next sensor check in).
- Once a connection has been established, you can execute the same commands as shared above. The only difference is that in a Live Response session execfg should preceed each command.
For example, in Windows you would execute the following command to start the log capture:execfg repcli capture C:\Users\%USERNAME%\Desktop
Note: the log capturing process can take several minutes to complete. You may or may not see a status appear in the Live Response window. However, once the action has been completed, you should see the prompt return to normal. - After the log has been captured, you can download the file to your local machine by executing the following command:
get <file path where the log file was saved to>
- After a few moments, you should see a notification in your browser that a file is being downloaded. Navigate to your local downloads directory to verify that the file has been saved.
Note: filenames and extensions are obfuscated when they are downloaded via Live Response. Before uploading the file to Red Canary, please change the filename to the following format: endpointName_logs_YYYY_MM_DD.zip
Comments
0 comments
Please sign in to leave a comment.