logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR Sensor: How to Enable Debugging for LiveQuery

EDR Sensor: How to Enable Debugging for LiveQuery

Environment

  • EDR Windows Sensor: 7.1.0 and Higher
  • EDR Server: 7.2.0 and Higher

Objective

  • How can debug logging be enabled for LiveQuery?

Resolution

  • On the sensor that needs troubleshooting, enable debug logging to at least a '5'.  Please run the following commands:
reg add HKLM\Software\CarbonBlack\config -v MaxDebugLogSize -t REG_DWORD -d 1000000000 -f

reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 5 -f 

sc control carbonblack 203
  • Once done, re-run the LiveQuery command and then pull a new sensordiag.  The changes will be denoted by debuglevel in the Sensor.log.  OsQuery items should now be showing up as queries are ran.

Additional Notes

  • Verbosity can be increased to avoid missing items by changing the -d <log level> number in the command above.  Examples, below:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 6 -f
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7 -f

 

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎02-24-2021
Views:
795
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.