Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Capture Agent Logs Locally (macOS)

App Control: How To Capture Agent Logs Locally (macOS)

Environment

  • App Control Agent: All Supported Versions
  • macOS: All Supported Versions

Objective

This document describes the collection of diagnostics that will help Carbon Black Support with investigating a resolution for:

  • Unexpected Blocks
  • Unexpected Approvals
  • Unexpected Rule Results
  • Connectivity Issues
  • Agent or macOS Crash

Resolution

Note: You will need the Global CLI Password to adjust the debug levels properly. Failure to authenticate with the Agent and set the proper debug levels will result in less data captured, which may prevent proper investigation into the issue.
 
  1. Open Terminal and issue the following commands:
    cd /Applications/Bit9/Tools
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --resetcounters
    ./b9cli --flushlogs
    ./b9cli --debuglevel 4
    ./b9cli --kerneltrace 4
    ./b9cli --nettrace 1
    
  2. Reproduce the issue.
  3. Capture and stop debug logging:
    ./b9cli --capture ~/Desktop/`Hostname`-AgentLogs.zip
    ./b9cli --password 'GlobalCLIPassword'
    ./b9cli --debuglevel 0
    ./b9cli --kerneltrace 2
    ./b9cli --nettrace 0
    
  4. Collect System Logs (Crash only, unless otherwise requested):
    system_profiler --detailLevel full > ~/Desktop/`hostname`-sysinfo.txt
    tar -cvf ~/Desktop/`hostname`-DiagnosticReports.tar /Library/Logs/PanicReports
    
  5. Upload all captured logs to the Vault and update the existing Case in Support.

Additional Notes

The following is helpful Triage information:

  • When did the issue start?
  • What changes around the time of the issue starting?
  • Is this easily reproduced?
  • What AV products are on the endpoint?

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-21-2018
Views:
1887
Contributors