Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Collect Logs for Troubleshooting Disconnected Windows Agent (Locally)

App Control: How to Collect Logs for Troubleshooting Disconnected Windows Agent (Locally)

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

How to collect logs to troubleshoot a disconnected Windows Agent

Resolution

  1. On the disconnected endpoint, open an elevated Command Prompt as Administrator
  2. Run commands and copy the output:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password <Global CLI Password>
    dascli disconnect
    dascli debuglevel 6
    dascli nettrace 1
    dascli connect
    
    dascli status
    tracert <AppCServerName>
    netstat -ano | findstr "41002" > "C:\Temp\%ComputerName%-netstat.txt"
    nslookup <AppCServerName>
    ping <AppCServerName>
    netsh winhttp show proxy
    (for XP/Server 2003 use: proxycfg)
    
    with Powershell:
    Test-NetConnection -ComputerName <AppCServerName> -Port 41002 -InformationLevel "Detailed"
    Test-NetConnection -ComputerName <AppCServerName> -Port 443 -InformationLevel "Detailed"
    
    dascli password <CLI Password>
    dascli debuglevel 0
    dascli nettrace 0
    dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
  3. Upload the results to the Vault.
    • Screenshot or text results of the network commands.
    • The files generated in "C:\Temp\"
  4. Once the upload has completed, provide an update on the existing Support Case.

Additional Notes

When debugging is enabled the file C:\ProgramData\Bit9\Parity Agent\Logs\Trace.bt9 may contain relevant errors (search for winhttp and look for non-0 codes)
In the process of troubleshooting a disconnected agent Carbon Black support may request CAPI2 logging, and a Wireshark capture. Providing those upfront can reduce the number of log requests you may receive from the support group. 
  1. Start CAPI2 logging:
  2. Start collecting a Wireshark capture:
  3. If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
  4. Optionally if Telnet is available, you can check connectivity with:
    telnet <AppCServerName> 41002

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
8045
Contributors