Environment
- EDR Sensor: 6.x and Higher
- Linux: All Supported Versions
Objective
To collect relevant logs on a Linux endpoint in order to troubleshoot most performance-related issues. Typical issues may include:
- General system performance issues
- High CPU/Memory of EDR sensor process
- High CPU/Memory of third-party applications
Resolution
- Log onto the Linux endpoint exhibiting performance issues.
- Gather an strace output for the cbdaemon process.
- Generate a Linux endpoint diag report
- Upload all log files to CB Vault.
- Update your VMWare Carbon Black Technical Support case with further relevant information:
- Is this Linux endpoint also serving as an EDR console server (primary or secondary node?)
- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it?
(For example, were any backups, updates, or large file transfers being performed?)
- How many endpoints are affected? What are their general system profiles and function?
- What other security applications/real-time scanners are installed? Have these exclusions been applied?
https://docs.vmware.com/en/VMware-Carbon-Black-EDR/services/cb-edr-sensor-install-guide/GUID-4205B17E-DF27-4AD9-AEDA-17BC9088F43F.html
- How long do the performance issues last?
- What actions, if any, return the system performance to normal?
- Is the endpoint connected to any network shares?
- Does this endpoint generate a large number of logs, binaries, or PDF reports?
Additional Notes
EDR Sensor version 7.2.0 contains improvements to memory and CPU performance, reference 'Resolved Issues' section in the release notes:
Related Content
