Environment
- Carbon Black Protection: All Versions
- Linux Agent
Objective
This document describes the collection of diagnostics that will help Carbon Black support with investigating a resolution.
- Unexpected Blocks
- Unexpected Approvals
- Unexpected Rule Results
Resolution
These commands should be run during a reproduction of the diagnostics capture in order to accurately access the issue
- Open Terminal and change directory to /opt/bit9/bin
- Run the following commands
- ./b9cli --password <CLI or Global password here>
- ./b9cli --resetcounters
- ./b9cli --flushlogs
- ./b9cli --debuglevel 6
- ./b9cli --kerneltrace 4
- Reproduce the issue during the capture.
- Capture and stop debug logging
- ./b9cli --capture <path to drop>/$HOSTNAME.$(date +%Y-%m-%d).zip
- ./b9cli --password <CLI or Global password here>
- ./b9cli --debuglevel 0
- ./b9cli --kerneltrace 2
- Collect System Logs
- tar cvfz system-logs-'date +F'.tgz /var/log
Upload all collected data to Cb Vault
Once your transfer is complete, please update your Case Notes and we will retrieve the data
Additional Notes
The following is helpful Triage information:
- When did the issue start?
- What changes around the time of the issue starting?
- Is this easily reproducible?
- What AV products are on the endpoint?
Related Content