Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Collect Sensor Logs Locally (Windows)

Carbon Black Cloud: How To Collect Sensor Logs Locally (Windows)

Environment

  • Carbon Black Cloud Sensor: 2.1.x.x -3.3.x (formerly CB Defense)
  • Carbon Black Cloud Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

Describe the steps needed to collect the CBC Sensor logs from a Windows device locally

Resolution

3.6.x.x and Higher
  1. Log into the desired device (either directly or via RDP)
  2. Open a Command line from the Confer Directory 'C:\Program Files\Confer'
  3. Run the following command 'repcli capture'
    C:\Program Files\Confer>repcli capture <LocalOutputPath>
    
    Example
    repcli capture C:\Users\%USERNAME%\Desktop
    
  4. Follow the on-screen prompts that show you where the now zipped sensor log file is located
    Collecting diagnostic data (this may take a few minutes)...
    ....
    Captured diagnostic data in <LocalOutputPath>\psc_sensor.zip
  5. Rename the zip file to match the name of the device
  6. Upload the file via https://community.carbonblack.com/groups/cb-vault or upload link provided by Support

For Sensor Versions Pre-3.3.x.x

This method should only be used upon request from a Carbon Black representative

  1. Log into the desired device (either directly or via RDP)
  2. Right click cmd.exe
  3. Click "Run as Administrator"
  4. Run the following command:
    sc query cbdefense
    • If the sensor is installed, you will receive a readout of it's current status
    • If the sensor is not installed, you will receive an error
  5. If the sensor is installed, run
    sc control cbdefense 128
  6. Collect the resulting confer_dump.zip file from C:\windows\temp\confer-temp
  7. Rename the zip file to match the name of the device
  8. Upload the file via https://community.carbonblack.com/groups/cb-vault or Smartfile link provided by Support

For Sensor Versions 3.3.x.x and Higher (RepCLI Command Utility)
3.3.x.x thru 3.5.x.x
  1. Log into the desired device (either directly or via RDP)
  2. Open a Command line from the Confer Directory 'C:\Program Files\Confer'
  3. Run the following command 'repcli capture'
    C:\Program Files\Confer>repcli capture
  4. Follow the on-screen prompts that show you where the now zipped sensor log file is located
  5. Rename the zip file to match the name of the device
  6. Upload the file via https://community.carbonblack.com/groups/cb-vault or Smartfile link provided by Support

Additional Notes

 
  • Zip file name example: SampleMachineName_confer_dump.zip
  • Commands to execute step 3 in powershell: 
cmd.exe /c "sc control cbdefense 128"
.\RepCLI.exe capture

Related Content


Was this article helpful? Yes No
50% helpful (2/4)
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
58339
Contributors