Message Image

Skip main navigation (Press Enter).

Blog Viewer

EDR Sensor: How to Enable Debugging for LiveQuery

By CB_Support posted Feb 24, 2021 10:12 PM

Recommend

Environment

EDR Windows Sensor: 7.1.0 and Higher
EDR Server: 7.2.0 and Higher

Objective

How can debug logging be enabled for LiveQuery?

Resolution

On the sensor that needs troubleshooting, enable debug logging to at least a '5'. Please run the following commands:

reg add HKLM\Software\CarbonBlack\config -v MaxDebugLogSize -t REG_DWORD -d 1000000000 -f

reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 5 -f 

sc control carbonblack 203

Once done, re-run the LiveQuery command and then pull a new sensordiag. The changes will be denoted by debuglevel in the Sensor.log. OsQuery items should now be showing up as queries are ran.

Additional Notes

Verbosity can be increased to avoid missing items by changing the -d <log level> number in the command above. Examples, below:

reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 6 -f
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7 -f

#EDR

0 comments

0 views

Permalink

Copyright 2019. All rights reserved.

Powered by Higher Logic