CB Connect 2020 early-bird discount pricing expires on January 31. Learn more and reserve your spot today!
cancel
Showing results for 
Search instead for 
Did you mean: 

CB Response: Enable Verbose Logging remotely on Windows sensor

CB Response: Enable Verbose Logging remotely on Windows sensor

Environment

  • CB Response Sensor: 5.x and Higher
  • CB Response Console: 5.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

  • How to enable verbose user and kernel-mode logging remotely via CB Live Reponse.

Resolution

  1. Back up the registry prior to enabling logging: How to back up the registry in Windows.
  2. Remotely enable verbose logging:
    • Establish a CB Live Response session with the endpoint
    • Enter the following two commands within CB Live Response:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7
reg add HKLM\Software\CarbonBlack\config -v KernelDebugLevel -t REG_DWORD -d 7
  • The registry setting will not take affect until the user-mode sensor service is restarted
execfg cmd.exe /K "sc control carbonblack 203"
  1. Reproduce the issue
  2. Collect logs with the Diagnostic utility to collect Carbon Black endpoint logs
  3. When finished, manually remove the two registry values and restart the CB Response sensor for changes to take effect
  4. Upload the diagnostics to the CB Vault

Additional Notes

  • Make sure to disable the verbose logging after troubleshooting, so they do not fill up the logs on the endpoint

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-21-2018
Views:
392