Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Troubleshoot Sensor Installation and Upgrade Issues

Carbon Black Cloud: How to Troubleshoot Sensor Installation and Upgrade Issues

Environment

  • Carbon Black Cloud Sensor: All supported versions

Objective

How to Troubleshoot Sensor Installation and Upgrade Issues

Resolution

Please open a case with VMware Carbon Black Support with the following Environment Details and Diagnostics Files:

Environment Details

  1. What is the current sensor version that is being installed on these devices?
  2. What are the prior sensor version(s) that were installed (if any)?
  3. How was the sensor deployed: the console, attended, unattended (command line), or third party deployment software e.g. SCCM, GPO, JAMF etc..?
  4. If this is a sensor upgrade, what sensor version was installed and how was it deployed?  
  5. How many devices are exhibiting this behavior?
  6. What is the device operating system(s)?
  7. Is there an identifiable pattern where install/upgrades fail? (e.g. Does this issue happen only on a particular subnet, OS version or sensor version?)

Diagnostic Files

Windows

  • Verbose.msi log (Always collect this log when possible)
NOTE
  • If the sensor was installed via attended method, the verbose msi will not be generated
  • If sensor was upgraded via CBC Console then the msi.log will be located in %ProgramData%\CarbonBlack
  • If sensor was installed any other method then the verbose msi will only be created if /L*vx <logpath>\<logname> was used when installing the sensor. If the <logpath> was not specified, then the log will be created in whatever director that the msi was specified to run
  • TCP Dump (Collect only if we suspect a network issue and issue can be reproduced on demand) 
  • All other Logs (Please contact support to obtain the cbcdisk-v2.ps1 sensor install log collection script)
  1. Copy cbcdisk-v2.ps1 into a directory
  2. Open a command prompt using Run As Administrator
  3. Execute command: powershell -executionpolicy bypass -f .\cbcdisc-v2.ps1
  4. This creates %TEMP%\cbcdisc-<hostname>.zip
    e.g. 
    Capture complete. Capture file is C:\Users\user\AppData\Local\Temp\cbcdisc-hostname.zip

MacOS

  • Sensor Registration Logs: confer-preinstall-xxxxxxxx.log & confer-postinstall-xxxxxxx.log/tmp
  • Sensor Diagnostic Logs: /Applications/Confer.app/
  • MacOS Big Sur Logs: /Library/Application Support/com.vmware.carbonblack.cloud/Logs
  • For failed upgrades, collect /tmp/cbcloud-preinstall-[TIMESTAMP].log

Linux

Collect Logs using the steps in Carbon Black Cloud: How to Collect Sensor logs locally (Linux)

Additional Notes

  • The cbcdisk-v2.ps1 log collection script will automatically collect the sensor registration log cb-installer-<sensor.version>.log (post 3.4) or confer-temp.log (3.4 and below) which is usually found in one of the following locations: 
    C:\Windows\TEMP\
    C:\Users\<user>\AppData\Local\Temp\ 
    C:\Users\All Users\AppData\Local\Temp
  • If there is a record for a device's hostname on one of the Inventory pages (Endpoints, VM Workloads, VDI Clones, etc.) where the Status shows Active but the Operating System (OS) and Sensor version fields are blank
    • Registration has succeeded (there is a device_id), but installation has failed
    • Uninstall/reinstall is recommended

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
4774
Contributors