logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Set Automatic Agent Log Capture (Locally)

App Control: How to Set Automatic Agent Log Capture (Locally)

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

To setup automatic high debug logging on an Agent for issues that cannot be reproduced on demand.

Resolution

  1. Login to the endpoint in question and from an administrative command prompt issue: 
    dascli password GlobalCLIPassword
dascli flushlogs
dascli resetcounters
dascli debuglevel 6
dascli kerneltrace 4 -1
dascli kernelconfig verboselogpattern "<PathToFileOrPathBeingBlocked"
dascli setconfigprop capture_log_on_matching_event=subtype=<SubtypeIDOfEvent>,filename=<PathToFileOrPathBeingBlocked>
  2. Once the Agent generates an Event matching the scenario:
    • Agent logs will automatically be captured and uploaded to the Server.
    • An Event will be generated with the Subtype: Agent Diagnostics Available.
  3. Download the Agent Logs from the Console > Tools > Requested Files > Diagnostic Files.
  4. Upload the Agent Logs to the Vault and update the Case accordingly.
  5. After logging is complete, return the Logging to normal and clear the Config: 
    dascli password GlobalCLIPassword
dascli setconfigprop capture_log_on_matching_event=
dascli kerneltrace 2
dascli debuglevel 0

Additional Notes

  • capture_log_on_matching_event is a Kernel Configuration Property that will trigger the capture of Agent Diagnostic Logs based on the Event Subtype and optional additional criteria.
  • There is a built in delay of 5 seconds after the Event to capture possible following activity.
  • There is a built in dwell time of 15 minutes. The auto log capture will not trigger until 15 minutes after the last auto log capture.
  • There is a limit of 10 auto log captures. No auto captures will occur until there are less than 10 captures in the logs directory.
  • The 15 minute dwell time and 10 capture maximum are to stop poorly defined event criteria from generating large numbers of logs.
  • Setting the property to an empty string disables auto-logging.
  • A list of available Event Subtype IDs can be found on VMware Docs > Server Documentation > Events Guide.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
377
Contributors
logo