Issue
We need to collect SentinelOne Agent diagnostic logs from inside the SentinelOne console.
Environment
SentinelOne
Resolution
1. In the sidebar, click Sentinels.
2. Click the Agent. (Endpoint Details loads).
3. Click Actions > Troubleshooting > Fetch Logs.
4. In the Fetch Logs window, select one or both of the options and click Fetch Logs.
NOTE: For Windows logs select both options
- Agent logs: Get information about the selected Agent’s operations. The default is enabled.
From Windows Agent 4.6, Fetching Agent logs includes the Agent Activity Analyzer report. - Endpoint logs: Get endpoint data. These logs are not encrypted and can be useful for customer troubleshooting. This option is available from Management Version Iguazu and works with Windows Agent version 3.6+. The default is disabled.
NOTE: If you select this option for an endpoint with a macOS or Linux Agent, or with a Windows Agent of a version earlier than 3.6, the Agent fetches Agent logs.
Download the Logs:
- In the sidebar, click Activity Activity.
- In the Activity view, click Administrative and select Log operations.
- Tip: From version Queensland, use the search to find the option easily
- The results show entries with this syntax: Agent <name> successfully uploaded <file>.tar.gz
- Select an entry and click the Download button.
- Data that is collected
- VM yes/no check
- Internet connection status
- Directory listing for ProgramFiles and ProgramData Sentinel folder + PRDB folder size
- SentinelCtl status+config
- FLTMC output
- Net config workstation and server
- PConfig /all and route print
- Local DNS cache dump
- SC query for Sentinel Agent and monitor
- netsh full dump and proxy information
- Net statistics
- Local FW export
- msinfo32 full export
- Windows event viewer files
- Local machine certificates listing
- Agent log files
- Agent asset files
- VSS tool output
- Full list of installed applications