system.log – Similar to OSX’s system.log, shows process’ exit codes
Collecting Sensor Diagnostics
To force the Sensor to dump recent communication and event logs:
First obtain the PID of the running process:
$ ps -ef|grep CbOsxSensorService
b. Kill the process:
$ sudo kill -s USR2
c. Check the newly created logs:
To create an archive of logs:
$ sudo /Applications/Carbonblack/sensordiag.sh
This will create a zip file with logging from the host:
/Applications/CarbonBlack/sensordiag__.zip (Depending on your OS X version, it may also be in the user's home folder)
Force Sensor to Check-in
From the sensor host
sudo kill -USR1 <pid>
<pid> of the CbOsxSensorService
Force sensor check-in from the console
Using the 'SYNC' command flushes all the data from the sensor to the server
The hyperlink in the UI to download an OSX sensor is grayed out, and the Download Sensor Installer drop down does not include “OSX Standalone PKG”.
The cb.conf file includes a SensorUpgradeOsx= parameter, and this version does not exist in the /usr/share/cb/coreservices/installers/osx directory. Remove the SensorUpgradeOsx parameter to force the UI to download the most recent version.
The OSX Sensor is writing too much data to disk, causing poor performance.
As of this writing there is a known issue when Binary module events are collected. To disable this event type, navigate to Administration -> Sensors -> [select the relevant group] -> Edit Group Settings -> Event Collection tab. Uncheck the box for “Binary module (.dll, .sys, .exe) loads”. This issue was resolved in 5.1. Carbon Black OSX Sensor performance symptoms contains further information.