logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: How to Collect Logs for Troubleshooting a Disconnected Agent (Windows)

App Control: How to Collect Logs for Troubleshooting a Disconnected Agent (Windows)

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

How to collect logs to troubleshoot a disconnected Windows Agent.

Resolution

  1. On the disconnected endpoint, open an administrative command prompt and issue the following commands: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli disconnect
dascli debuglevel 6
dascli nettrace 1
dascli connect
dascli healthcheck
dascli status
  2. In the returned output, locate: Server Information > Server and note the address
    Example: appserver.domain.com:41002 means the Server Address is appserver.domain.com
  3. Issue the following commands: 
    netstat -ano | findstr "41002"
nslookup <ServerAddress>
ping <ServerAddress>
tracert <ServerAddress>
netsh winhttp show proxy
(for XP/Server 2003 use: proxycfg)
  4. Use PowerShell to issue the following commands and save the results to a text file in C:\Temp\ 
    Test-NetConnection -ComputerName <ServerAddress> -Port 41002 -InformationLevel "Detailed" > "C:\Temp\ConnectionTest.txt"
Test-NetConnection -ComputerName <ServerAddress> -Port 443 -InformationLevel "Detailed" >> "C:\Temp\ConnectionTest.txt"
  5. In the administrative command prompt issue the following commands: 
    dascli password 'GlobalPassword'
dascli debuglevel 0
dascli nettrace 0
dascli capture "C:\Temp\%ComputerName%-DisconnectedLogs.zip"
  6. Upload the collected logs to the Vault.
  7. Once the upload has completed, provide an update on the existing Support Case
  8. (Optional) A Wireshark capture may be requested during troubleshooting. Providing it upfront can reduce the number of log requests.

Additional Notes

When debugging is enabled the file C:\ProgramData\Bit9\Parity Agent\Logs\Trace.bt9 may contain relevant errors (search for Winhttp and SSLerrors and look for non zero codes)
  1. If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
  2. Optionally if Telnet is available, you can check connectivity with: 
    telnet <ServerAddress> 41002

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-20-2018
Views:
12039
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.