Issue
How do I collect diagnostic logs for my Mac or Windows Endpoints?
Environment
CrowdStrike
Resolution
Collecting Diagnostic logs from your Mac Endpoint:
The Falcon Sensor for Mac has a built-in diagnostic tool, and its functionality includes generating a sysdiagnose output that you can then supply to Support when investigating sensor issues.
To use it, you'll need sudo access on the Mac host, and from a terminal, simply enter the command:
-
Falcon Sensor for Mac 6.11 and above:
sudo /Applications/Falcon.app/Contents/Resources/falconctl diagnose
-
Falcon Sensor for Mac 5.41 and below:
sudo /Library/CS/falconctl diagnose
You will get a status bar in the terminal while the diagnostic is performed. This process can take 10 minutes to complete. Once finished, the path to the file will be displayed in your terminal session, and a Finder window will appear, displaying the directory /private/tmp/
and the sysdiagnose file there will look similar to this: falconctl_diagnose_4APo7TWJ.tgz
Attach the this file that appears in /private/tmp/
to your Support case.
Collecting Diagnostic logs from your Windows Endpoint:
NOTE: The process for collecting diagnostic logs from a Windows Endpoint is slightly little more involved. The logs you decide to collect also really depends on what your CrowdStrike Support Engineer is asking for.
The first and easiest method is as follows:
NOTE: You will need to export your logs in their native directory structure and format (such as .evtx
for sensor operations logs). This helps our support team diagnose sensor issues accurately and efficiently.
Sensor operations |
No |
In Windows Event Viewer under Windows Log > System. Look for the label CSAgent. |
Based on OS or group policy settings |
Based on OS or group policy settings |
Sensor installation (installation, uninstallation, upgrades, or downgrades) |
Yes |
If initiated by a user: %LOCALAPPDATA%\Temp If initiated by the CrowdStrike cloud: %SYSTEMROOT%\Temp |
Based on OS or group policy settings |
Based on OS or group policy settings |
Sensor operational logs
The sensor's operational logs are disabled by default. To enable or disable logging on a host, you must update specific Windows registry entries.
Enable logging
-
Create a file with the extension
.reg
, such asmyfile.reg
. -
Copy and paste the following into your file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default]
"AFLAGS"=hex:03,00,00,00
-
Open a command prompt and run the following command to enable logging:
regedit myfile.reg
Disable logging
-
Create a file with the extension
.reg
, such asmyfile.reg
. -
Copy and paste the following into your file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default]
"AFLAGS"=hex:00,00,00,00
-
Open a command prompt and run the following command to disable logging:
regedit myfile.reg
The second option for collecting diagnostic logs from your Windows Endpoint is as follows :
Crowdstrike Support will often ask for a CSWinDiag collection on your Windows host when having an issue with the Falcon sensor. CSWinDiag gathers information about the state of the Windows host as well as log files and packages them up into an archive file which you can send to CS Support, in either an open case (view CASES from the menu in the Support Portal), or by opening a new case.
Downloading CSWinDiag
There are two ways to download the latest version of CSWinDiag, version 1.4 as of October 26, 2020:
- In your Falcon console, navigate to Support → Tool Downloads. Download the latest version available.
- The file is also attached to this article. Find it all the way at the bottom of this page. You can verify the file's integrity by its SHA256 hash: 8c261f955ceafd235914b23a83281335f19e2d90af125eb467f54a63831e9ff1
What does CSWinDiag Gather?
- Troubleshooting Windows Sensors - Installation Issues:
- Sensor installation logs from %TEMP% (aka %LOCALAPPDATA%\temp)
- Sensor cloud update logs from %SYSTEMROOT%\temp
- Sensor crash dump files if present in %SYSTEMROOT%\system32\drivers\crowdstrike\support\crashdumps
- Log files from %SYSTEMROOT%\INF\setupapi*.log
- Windows installer configuration, registration data, and listings of installer cached files
- Firewall rules and filter troubleshooting data
- CrowdStrike registry keys
- Microsoft system, NIC, and hot fix details
- Currently installed programs and registered AV programs
- DigiCert High Assurance EV Root CA certificate check
- DigiCert Assured ID Root CA certificate check
- DNS Cache Type check
- .NET Framework version and registry data
- BitLocker encryption status
- Windows ELAM (Early Launch Anti-Malware) backup directory check
- Windows Installer directory check
- Core service dependencies status
- Basic network details
- Connectivity checks/configuration data (Commercial, Gov, and EU Clouds):
- Basic cloud connectivity check
- TLS connection tests
- Certificate chain check
- Supported ciphers check
- User's proxy settings
- Falcon Sensor proxy configuration
- SCHANNEL registry configuration
- CID and AID details
- Sensor and Device Control services status
- CS program and driver files list
- CS policy/system registry tags
- Currently running processes
- Installed Microsoft patches
- Running services details
- Windows Event logs errors: Application and System
- Falcon Sensor Event logs (if logging is enabled)
- MSInfo32 data export
Using CSWinDiag to Create a Collection
- Triggering a CSWinDiag collection by Double-Clicking:
- Download the attached ZIP file and unzip it. Most users unzip to their desktop directory, but it may be run from almost any directory on the host.
- Change to the directory where the unzipped EXE was placed.
- Double-click the CSWinDiag.exe executable.
- If prompted, enter local administrator credentials.
- If prompted to allow the program to make changes to the computer, click YES. (Note: The program does not install or make any system changes. It only collects host information).
- Wait 3-4 minutes (average) for collection to complete.
- Triggering a CSWinDiag collection from Command Line:
- Download the attached ZIP file and unzip it. Most users unzip to their desktop directory, but it may be run from almost any directory on the host.
- Open a command line prompt as administrator.
- Change to directory where CSWinDiag.exe was placed. For example: %HOMEPATH%\Desktop\
- Type cswindiag, then press Enter
- If prompted to allow the program to make changes to the computer, click YES. (Note: The program does not install or make any system changes. It only collects host information).
- Wait 3-4 minutes (average) for collection to complete.
- Either way you choose to trigger the CSWinDiag collection, the process averages 3-4 minutes to complete. Once finished, the program will display output similar to the following:
C:\Users\<user>\Desktop>cswindiag
CSWinDiag v1.4 collection progress (avg. 3-4 minutes):
- basic host details..............(done)
- network connectivity tests......(done)
- additional host details.........(done)
- Windows event logs..............(done)
- msinfo32 data...................(done)
- sensor and setup logs...........(done)
- finalizing collection...........(done)
Please review and/or send this file to CrowdStrike Support: C:\crowdstrike\private\support-diagnostics\windows\CSWinDiag\bin\Debug\CSWinDiag-WL-564DD0-UTC20201019233901754.zip
Closing session...
C:\Users\<user>\Desktop>
Comments
0 comments
Please sign in to leave a comment.