Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Enable Server Service Trace Logging from Startup

App Control: How to Enable Server Service Trace Logging from Startup

Environment

  • App Control Server (Formerly CB Protection): All Supported Versions

Objective

How to set App Control Server services to debug level 6 in the registry for troubleshooting. This is to capture logs on boot time

Resolution

  1. If the server has the App Control Agent installed turn off tamper protection following the below steps. If not please skip to step 2.
  • Open a command prompt as Administrator
  • Change directory to C:\Program Files (x86)\Bit9\Parity Agent (or the location where App Control is installed)
  • Turn off the tamper protect by doing the following commands in order
dascli password <Either the CLI or global password can be entered here without the brackets>
dascli tamperprotect 0
  1. Stop the "Parity Server" service.
  • Go to services.msc and stop CB Protection Server service or run the command as Administrator “net stop ParityServer”
  1. Open the Registry (go to Start > Run > type regedit > click OK)
  2. Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ParityServer
  3. Edit the registry value called “ImagePath” by adding “ /debuglevel 6” on the very end of the registry data. Below is an example of what it should look like
C:\Program Files\Bit9 (x86)\Parity Server\parityserver.exe" /service /dsn "C:\Program Files\Bit9\Parity Server\shepherd.dsn" /debuglevel 6
  1. Start the "Parity Server" service.
  • Go to services.msc and start CB Protection Server service or run the command as Administrator “net start ParityServer”
  1. Reproduce the issue and collect the necessary data for engineering
  • ServerLog.bt9 located in C:\Program Files (x86)\Bit9\Parity Server\
  1. Repeat the step 1-4
  2. Remove the “ /debuglevel 6” from the registry value ImagePath
  3. Repeat Step 6 and start Parity Server
  • If the server has a App Control Agent installed, turn on the tamper protect
  1. Upload the file to CB Vault https://community.carbonblack.com/groups/cb-vault

Additional Notes

  • WARNING:  Make sure to remove “ /debuglevel 6”, so it will return to the default level 0. Otherwise, the logs will keep growing and use unneccessary disk space
  • If registry key has been reset to default and debugging is still being written to the Serverlog.bt9 file, go to https://<servername>/Support.php > Diagnostics Tab > Click on Snapshot Server Logs. This will collect the Serverlog.bt9 file in the Diagnostics folder and end the debugging.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
622
Contributors