Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Collect Agent Performance Logs (Linux)

App Control: How To Collect Agent Performance Logs (Linux)

Environment

  • App Control Agent: All Supported Versions
  • Linux: All Supported Versions

Objective

To collect diagnostics for cases involving performance impacts.

Resolution

These commands need to be issued on the endpoint during the performance impact in order to accurately assess the situation.
  1. Open Terminal and issue the following commands:
    cd /opt/bit9/bin
    ./b9cli --password GlobalCLIPassword
    ./b9cli --resetcounters
    ./b9cli --flushlogs
    ./b9cli --debuglevel 4
    ./b9cli --kerneltrace 4
    ./b9cli --nettrace 1
    
  2. Collect 5-10 minutes of data during the ongoing performance issues.
  3. Download the cbp-linux-sys-info script, extract and execute it. Once completed, collect the resulting /tmp/cbp-linux-sys-info.tgz file.
    • If the endpoint is in a Medium or High Enforcement Policy the cbp-linux-sys-info.sh script will need to be granted an Approval prior to execution.
    • If the execution of the script gives you an invalid character output, you may need to clean the sh file by running the command below, then executing the script again:
      cat cbp-linux-sys-info.sh | col -bf > cbp-linux-sys-info.sh
  4. Take a snapshot of the running b9daemon process using the gcore command (gcore is included with gdb which you may need to install).
    gcore 'pidof b9daemon'
  5. Capture and stop debug logging:
    sudo ./b9cli --capture /var/tmp/$HOSTNAME-PerformanceLogs.zip
    ./b9cli --password GlobalCLIPassword
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    
  6. Collect the System Logs.
    sudo tar cvfz /var/tmp/$HOSTNAME-SystemLogs.tgz /var/log
  7. After collection has completed, temporarily shutdown & unload the Agent, then reproduce with the TOP command:
    top -c -n 10 -d 5 >> /var/tmp/$HOSTNAME-top_output.txt
    
  8. While the Agent is shutdown & unloaded, collect a FAPREDEP capture.
  9. Upload all collected data to the Vault.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-21-2018
Views:
6518
Contributors