Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Collect Logs Remotely for Support Using Live Response (Windows)

Carbon Black Cloud: How to Collect Logs Remotely for Support Using Live Response (Windows)

Environment

  • Carbon Black Cloud Sensor (Windows): 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

Collect Sensor Logs to provide to Support for a remote machine via Live Response

Resolution

Note: Ensure the Sensor you require logs from is online, checking in and in a policy that has Live Response enabled

Sensors 3.6 and Higher:
  1. Login to the Console
  2. Go to the Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Change Directory to the Sensor's Directory
    cd C:\Program Files\Confer
  5. Run the following command 
    execfg repcli capture c:\temp -- Change to desired writeable location
  6. You will receive immediate confirmation that the logs are being collected 'collecting diagnostic data (this may take a few minutes)', followed by confirmation that the logs have been captured 'Captured diagnostic data in written to c:\temp\psc_sensor.zip
  7. Run the following command to retrieve and download the captured Sensor Logs to your local machine 
    get c:\temp\psc_sensor.zip -- Change to location specified in previous command
  8. This file will download to whichever directory you have specified to download to (usually 'Downloads')
  9. The file will likely not have an extension when downloaded, and may look similar to this > 9ba02d41-f873-45f4-ba19-5091c8246095
  10. Once downloaded, simply rename it, replacing the text with the name of the machine and adding the .zip file extension, for example > Sales1.zip

Sensors 3.5 and Lower:
  1. Login to the Console
  2. Go to the Endpoints Page
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session
  4. Change Directory to the Sensor's Directory
    cd C:\Program Files\Confer
  5. Run the following command 
    execfg repcli capture
  6. You will receive the confirmation that the captured logs will be written to C:\Windows\Temp\confer-temp and named confer-temp.zip
  7. Run the following command to retrieve and download the captured Sensor Logs to your local machine 
    get confer_dump.zip
  8. This file will download to whichever directory you have specified to download to (usually 'Downloads')
  9. The file will likely not have an extension when downloaded, and may look similar to this > 9ba02d41-f873-45f4-ba19-5091c8246095
  10. Once downloaded, simply rename it, replacing the text with the name of the machine and adding the .zip file extension, for example > Sales1.zip

Additional Notes

  • Ensure the Sensor you require logs from is online, checking in and in a policy that has Live Response enabled
  • The 'repcli capture' command does not require authentication or administrator rights on the machine
  • The 'repcli capture'  command requires the Cb Defense Service to be running
  • If the file does not automatically download, this may be due to your Browser settings, in which case, the file link on the LR screen 'File ready for download' can be clicked,at which point it will either download automatically, or ask where to be saved (again, depending on Web Browser settings)

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-16-2019
Views:
5085
Contributors