Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Capture Agent Logs Locally (macOS)

App Control: How To Capture Agent Logs Locally (macOS)


  • App Control Agent: All Supported Versions
  • macOS: All Supported Versions


This document describes the collection of diagnostics that will help Carbon Black Support with investigating a resolution for:

  • Unexpected Blocks
  • Unexpected Approvals
  • Unexpected Rule Results
  • Connectivity Issues
  • Agent or macOS Crash


Note: You will need the Global CLI Password to adjust the debug levels properly. Failure to authenticate with the Agent and set the proper debug levels will result in less data captured, which may prevent proper investigation into the issue.
  1. Open Terminal and issue the following commands:
    cd /Applications/Bit9/Tools
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --resetcounters
    ./b9cli --flushlogs
    ./b9cli --debuglevel 4
    ./b9cli --kerneltrace 4
    ./b9cli --nettrace 1
  2. Reproduce the issue.
  3. Capture and stop debug logging:
    ./b9cli --capture ~/Desktop/`Hostname`-AgentLogs.zip
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
  4. Collect System Logs (Crash only, unless otherwise requested):
    system_profiler --detailLevel full > ~/Desktop/`hostname`-sysinfo.txt
    tar -cvf ~/Desktop/`hostname`-DiagnosticReports.tar /Library/Logs/PanicReports
  5. Upload all captured logs to the Vault and update the existing Case in Support.

Additional Notes

The following is helpful Triage information:

  • When did the issue start?
  • What changes around the time of the issue starting?
  • Is this easily reproduced?
  • What AV products are on the endpoint?

Related Content

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: