Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black OS X Basic Troubleshooting

Carbon Black OS X Basic Troubleshooting

Version

Carbon Black version 4.2.x & 5.x

Topic

Document contains Carbon Black OS X basic troubleshooting steps.

Steps

Log Locations

  1. Log Locations
    1. /var/lib/cb
  2. Default Sensor .pkg installer directory
    1. /usr/share/cb/coreservices/installers/osx
  3. Logs
    1. CbOsxSensorService...log.LEVEL. - Where Level refers to either INFO, WARNING, and ERROR levels. All three log levels are informative to check when investigating an issue.
    2. cblog.log – Contains Sensor installation information, driver status, Sensor daemon status, kernel extension status.
    3. system.log – Similar to OSX’s system.log, shows process’ exit codes

Collecting Sensor Diagnostics

  1. To force the Sensor to dump recent communication and event logs:
    1. First obtain the PID of the running process:
      1. $ ps -ef|grep CbOsxSensorService
    2. b. Kill the process:
      1. $ sudo kill -s USR2
    3. c. Check the newly created logs:
      1. /var/lib/cb/sensor_comms.log
      2. /var/lib/cb/sensor_net.log
      3. /var/lib/cb/sensor_raw_events.log
  2. To create an archive of logs:
    1. $ sudo /Applications/Carbonblack/sensordiag.sh
      1. This will create a zip file with logging from the host:
      2. /Applications/CarbonBlack/sensordiag__.zip  (Depending on your OS X version, it may also be in the user's home folder)

Force Sensor to Check-in

  1. From the sensor host
    1. sudo kill -USR1 <pid>
      1. <pid> of the CbOsxSensorService
  2. Force sensor check-in from the console
    1. Using the 'SYNC' command flushes all the data from the sensor to the server

Common Issues

  1. The hyperlink in the UI to download an OSX sensor is grayed out, and the Download Sensor Installer drop down does not include “OSX Standalone PKG”.
    1. The cb.conf file includes a SensorUpgradeOsx= parameter, and this version does not exist in the /usr/share/cb/coreservices/installers/osx directory. Remove the SensorUpgradeOsx parameter to force the UI to download the most recent version.
  2. The OSX Sensor is writing too much data to disk, causing poor performance.
    1. As of this writing there is a known issue when Binary module events are collected. To disable this event type, navigate to Administration -> Sensors -> [select the relevant group] -> Edit Group Settings -> Event Collection tab. Uncheck the box for “Binary module (.dll, .sys, .exe) loads”. This issue was resolved in 5.1. Carbon Black OSX Sensor performance symptoms  contains further information.

Important Note(s)

These apply to OSX sensors only.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-20-2015
Views:
3351
Contributors