Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to collect Sensor Logs via Live Response (Linux)

Carbon Black Cloud: How to collect Sensor Logs via Live Response (Linux)

Environment

  • Carbon Black Cloud Console: All Versions
    • Audit & Remediation required for Live Response
  • Carbon Black Cloud Sensor: 2.7.x.x and Higher
  • Linux: All Supported Versions

Objective

How to collect logs and configuration information from the VMware Carbon Black Cloud Linux endpoint agent via Live Response session

Resolution

  1. Connect to device via LR session
  2. Launch terminal emulator
    execfg sudo /opt/carbonblack/psc/bin/collectdiags.sh --verbose --debug --output-dir /tmp
  3. Script will complete and display file name
    diags_{hostname}_{epoch_time}_{random}.tgz
  4. Retrieve the file
    get /tmp/diags_{hostname}_{epoch_time}_{random}.tgz
    
  5. Upload the tarball to CB Vault
  6. Let support know when the file has been uploaded

Additional Notes

  • Output file (diags_{hostname}_{epoch_time}_{random}.tgz) is created in /tmp/ by default
  • To change the output path, use the '--output-dir' parameter; For example, to create the file in the user’s home directory:
    sudo ./collectdiags.sh --verbose --debug --output-dir $HOME
  • The script also collects various system identity, configuration, and state information
  • The collected information helps VMware Carbon Black understand and repair problems that occur at runtime or during agent installation
  • 2.6.x.x Sensors and earlier can also use the above after downloading and installing the diagnostics script

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-05-2021
Views:
408
Contributors