Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Enable Logging for VDI SensorID Lookup

EDR: How to Enable Logging for VDI SensorID Lookup

Environment

  • EDR: 6.x

Objective

To enable debug logging for the NewRegistrationCallback class which, by default, handles the sensor ID lookup.

Resolution

  1. Backup the /etc/cb/sensorservices-logger.conf file. (optional)
  2. Edit /etc/cb/sensorservices-logger.conf.
  3. Add "cb.sensor" to the end of the comma-separated [loggers] configuration: 
[loggers] 
keys=root, gunicorn.access, cb.sensor
  1. Append a new "logger" section at the end of the file: 
[logger_cb.sensor]
level=DEBUG 
handlers=debug_syslog 
propagate=0 
qualname=cb.sensor 
  1. Save all changes to the file.
  2. Verify that the changes were effective:
# grep logger /var/log/cb/sensorservices/debug.log

 

Additional Notes

  • Restarting the EDR server or cluster is unnecessary. 
  • The new config will become active within ~15 seconds. 
  • The resulting log messages are recorded to /var/log/cb/sensorservices/debug.log 
  • Sample log file entry: 
2019-01-02 10:45:33 [12625] <warning> cb.utils.cb_logging - Detected new logger config, '/etc/cb/sensorservices-logger.conf'. reloading...
  • Sample successful VDI sensor registration entry: 
2019-01-02 10:45:55 [12626] <debug> cb.sensor.engine - Found sensor id [2] for hostname [DESKTOP-1H8OD3S @ DESKTOP-1H8OD3S] 
2019-01-02 10:45:55 [12626] <info> cb.sensor.engine - Correlated sensor registration for sensor 2 using NewRegistrationCallback
  • To revert back to the original configuration, replace the modified sensorservices-logger.conf file with the backup. This will require a restart of the EDR services. 
  • These debug messages have minimal impact on the system. It's generally safe to let this debug logging run for an extended period of time. 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎01-02-2019
Views:
891