Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Collecting logs for troubleshooting (Cb Protection Agent 6.x - Windows OS)

Collecting logs for troubleshooting (Cb Protection Agent 6.x - Windows OS)

Version:
6.x (Windows OS only)

Topic:
This document describes how to collect necessary data for an issue regarding Bit9 Agents on Version 6.x only.

Steps:

Obtain the following information:

  • How many machines are affected?
  • How often does this issue occur and can it be reproduced?
  • What error message or Cb Protection events are you receiving regarding this issue?

Upload all data collected (as instructed below) to Cb Vault

Once the transfer is complete, please comment on your case (include the above questions) and let us know you have uploaded the below data. We do not receive notifications for file uploads.


Collect the following data for machines with a Bit9 Agent connected to the server
1.    Log in to the Bit9 console
2.    Go to the computer's details page and click on Other Action and select Delete Diagnostic Log Files and click Go (only do this if you'll be able to reproduce the issue; otherwise, skip this step 2 and go to step 3)
3.    Set the computer to High debug level and enable Kernel tracing

       Computers> select the computer to open its details page > click Show Advanced Options > select High for Debug level, set the Debug duration for 15 minutes, check "Upload the diagnostic files when completed" >                check "Include Kernel" > click Update Computer

4.    Reproduce the issue on the affected computer. If the issue is related to performance or resources used by Bit9, run procmon while reproducing the issue (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)
5.    Once you are finished reproducing the problem, go back to the computer details page > Show Advanced Options > select Upload Agent Cache from the Action drop-down > click Go
6.    Browse to https://<your Bit9 server name>/support.php > click View Available Log Files
7.   Download the logs and save the files from the affected computer (trace.bt9, error.bt9, parity_*.etl, summary.bt9, analysis.bt9, cache.db)
8.    Go back to computer details page > click View Recent Events > add the Process and Installer columns > set the date range to the past week > export the events to .csv file
9.    If this is an agent install or upgrade issue, go to the C:\ drive and collect the .log file for Bit9
10.  From the affected computer, go to Start > Run > type msinfo32 > click OK > File > Save (save it as an .nfo format)
11.  From the affected computer, export the Windows Events for Application and System (.evt or .evtx format)


Collect the following data for machines where the Cb Protection Agent is disconnected from the server
1.    From the affected computer, open a command prompt and change directory to \Program Files\Bit9\Parity Agent\ (use Program Files x86 for 64-bit platform)
2.    Run the following commands in order:

       a.  dascli password <type the CLI code or global password here without the brackets>
       b.  dascli resetcounters (only use this command if you can reproduce the issue)
       c.  dascli flushlogs (only use this command if you can reproduce the issue)
       d.  dascli debuglevel 6
       e.  dascli kerneltrace 4
       f.   dascli nettrace 1
       g.  dascli status (save the result of this command on a text file)

3.   Reproduce the issue on the affected computer
       a.  If the issue is related to performance or resource used by Bit9, run procmon while reproducing the issue.

     b.   Please ensure the .PML file is placed in a ZIP file as these files can be quite large in size.
4.    Wrap up by running the following commands in order:

        a.  dascli password <type the CLI code or global password here without the brackets>
       b.  dascli debuglevel 0
       c.  dascli kerneltrace 0
       d.  dascli nettrace 0
       e.  dascli kerneltrace 2 (wait about 3 minutes before running this command)
        f.  dascli status (save the result of this command on the same text file as step 2e)
       g.  dascli capture C:\<computer name>.zip

5.    Go to Start > Run > type msinfo32 > click OK > File > Save (save it as an .nfo format)
6.    Export the Windows Events for Application and System (.evt or .evtx format)

Using DebugView (optional)

1. Download and approve the DebugView tool.

2. Right-click on dbgview.exe and run it as an Admin.

3. Go to Capture and select everything except Log Boot.

4. Reproduce the issue and save the log.

Important Note

Upload all collected data to Cb Vault

Once the transfer is complete, please comment on your case (We do not receive notifications for uploads).

Related Content

For instructions on collecting logs for Version 7 & 8, please refer to the following document: Collecting logs for troubleshooting (Cb Protection Agent 7.x &amp; 8.x - Windows OS)

For information on collecting logs for Mac/Linux OS, please refer to the following document: Collecting logs for troubleshooting (Cb Protection Agent - Mac/Linux OS)

For performance related issue, please use the following document: Collecting Logs for Troubleshooting Performance Cases (Cb Protection Agent - Windows OS)

Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-22-2015
Views:
3283