How to Collect CrowdStrike Falcon Sensor Logs

Summary: In CrowdStrike Falcon Sensor process to Collect Logs

Article Content


Symptoms

This article discusses the methods for collecting logs for CrowdStrike Falcon Sensor.


Affected Products:

CrowdStrike Falcon Sensor

Affected Platforms:

Windows
Mac
Linux


Resolution

It is highly recommended to collect logs prior to troubleshooting CrowdStrike Falcon Sensor or contacting Dell Data Security ProSupport.

Click on the appropriate operating system for relevant logging information.

A user can troubleshoot CrowdStrike Falcon Sensor by manually collecting logs for:

  • MSI logs: used to troubleshoot installation issues.
  • Product logs: used to troubleshoot activation, communication, and behavior issues.

Click on the appropriate logging type for more information.

MSI

To collect MSI logs:

  1. Log into the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

SLN316278_en_US__1ddpkm2110a

  1. In the Run UI, type either:
  • Installed via user: %LOCALAPPDATA%\Temp and then click OK.
  • Installed via auto-update: %SYSTEMROOT%\Temp and then click OK.

SLN316278_en_US__2ddpkm2110b

  1. Collect:
    • CrowdStrike Window Sensor_[TimeStamp]_[Bit].log
    • CrowdStrike Window Sensor_[TimeStamp].log

SLN316278_en_US__3ddpkm2110c

SLN316278_en_US__4icon Note:
  • [TimeStamp] = Date/Time of Installation
  • [Bit] = Agent32 or Agent64.

It is recommended to Enable verbosity and then reproduce the issue prior to the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity.

Warning: Verbosity should only be enabled to troubleshoot an issue. Dell recommends disabling verbosity after the issue is resolved. Endpoints may experience performance degradation while verbosity is enabled.

To enable logging:

  1. Log into the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

SLN316278_en_US__1ddpkm2110a

  1. In the Run UI (user interface), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

SLN316278_en_US__6ddpkm2110d

  1. If UAC (User Account Control) is enabled, click Yes. Otherwise, proceed to Step 5.

SLN316278_en_US__7ddpkm2110e

  1. Navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default]

SLN316278_en_US__8ddpkm2110f

  1. Double-click AFLAGS.

SLN316278_en_US__9ddpkm2110ad(1)

  1. Press delete, type 03, and then click OK.

SLN316278_en_US__10ddpkm2110g

  1. Click File and then select Exit.

SLN316278_en_US__11ddpkm2110h

SLN316278_en_US__4icon Note: Once logging is enabled, reproduce the issue.

To capture product logs:

  1. Log into the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

SLN316278_en_US__1ddpkm2110a

  1. In the Run UI (User Interface), type eventvwr and then click OK.

SLN316278_en_US__14ddpkm2110i

  1. In Event Viewer, navigate to Windows Logs -> System.

SLN316278_en_US__15ddpkm2110ae

  1. Create a Filter by right-clicking the System log.

SLN316278_en_US__16ddpkm2110af

  1. Set the Source to CSAgent.

SLN316278_en_US__17ddpkm2110ag

  1. Click Save Filtered Log File As.

SLN316278_en_US__18ddpkm2110ah

  1. Change File Name to CrowdStrike_[WorkstationName].evtx and then click Save.

SLN316278_en_US__19ddpkm2110l

SLN316278_en_US__4icon Note: It is recommended to specify the [WorkstationName] in case the issue is happening on multiple endpoints.

To disable logging:

  1. Log into the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

SLN316278_en_US__1ddpkm2110a

  1. In the Run UI (user interface), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

SLN316278_en_US__6ddpkm2110d

  1. If UAC (User Account Control) is enabled, click Yes. Otherwise proceed to Step 5.

SLN316278_en_US__7ddpkm2110e

  1. Navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

SLN316278_en_US__8ddpkm2110f

  1. Press delete, type 0, and then click OK.

SLN316278_en_US__25ddpkm2110m

  1. Click File and then select Exit.

SLN316278_en_US__26ddpkm2110n

A user can troubleshoot CrowdStrike Falcon Sensor by collecting:

  • Install logs: used to troubleshoot installation issues.
  • Product logs: used to troubleshoot activation, communication, and behavior issues.

CrowdStrike Falcon Sensor uses the native install.log to document install information.

To collect Install.log:

  1. From the Apple menu, click Go and then select Go to Folder.

SLN316278_en_US__27ddpkm2110o

  1. Type /var/log and then click Go.

SLN316278_en_US__28ddpkm2110p

  1. Copy Install.log to an easily accessed area for further investigation.

SLN316278_en_US__29ddpkm2110q

SLN316278_en_US__4icon Tip: It is recommended to search for Dell Data Guardian to ensure the information is relevant to Dell Data Guardian.

It is recommended to Enable verbosity and then reproduce the issue prior to the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity.

Warning: Verbosity should only be enabled to troubleshoot an issue. Dell recommends disabling verbosity after the issue is resolved. Endpoints may experience performance degradation while verbosity is enabled.

To enable logging:

  1. Log into the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

SLN316278_en_US__31ddpkm2110r

  1. Double-click Terminal.

SLN316278_en_US__32ddpkm2110s

  1. In Terminal, type sudo sysctl cs.feature=3 and then press Enter.
  2. Populate the password for sudo and then press Enter.

SLN316278_en_US__33ddpkm2110t

  1. Confirm cs.feature=3.

SLN316278_en_US__34ddpkm2110u

SLN316278_en_US__4icon Note: Once logging is enabled, reproduce the issue.

To capture logs:

  1. Log into the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

SLN316278_en_US__31ddpkm2110r

  1. Double-click Terminal.

SLN316278_en_US__32ddpkm2110s

  1. In Terminal, type sudo /Library/CS/falconctl diagnose and then press Enter.
  2. Populate the password for sudo and then press Enter.

SLN316278_en_US__38ddpkm2110ab

  1. After several minutes, falconctl_diagnose.tgz will be generated in /private/tmp.

To disable logging:

  1. Log into the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

SLN316278_en_US__31ddpkm2110r

  1. Double-click Terminal.

SLN316278_en_US__32ddpkm2110s

  1. In Terminal, type sudo sysctl cs.feature=0 and then press Enter.
  2. Populate the password for sudo and then press Enter.

SLN316278_en_US__41ddpkm2110ac

  1. Confirm cs.feature=0.

SLN316278_en_US__34ddpkm2110u

To collect logs:

  1. Log into the affected endpoint.
  2. Open Terminal.

SLN316278_en_US__43ddpkm2110w

SLN316278_en_US__4icon Note: The GUI layout may differ between Linux distributions.
  1. In Terminal, type su root and then press Enter.
  2. Populate the password for sudo and then press Enter.

SLN316278_en_US__45ddpkm2110x

  1. Type sudo mkdir /tmp/CrowdStrike and then press Enter.

SLN316278_en_US__46ddpkm2110y

SLN316278_en_US__4icon Note: The example /tmp/CrowdStrike directory can be modified in your environment.
  1. Type sudo grep falcon /var/log/messages > /tmp/CrowdStrike/log_messages.txt and then press Enter.
  2. Type sudo grep falcon /var/log/syslog > /tmp/CrowdStrike/log_syslog.txt and then press Enter.
  3. Type sudo grep falcon /var/log/rsyslog > /tmp/CrowdStrike/log_rsyslog.txt and then press Enter.
  4. Type sudo grep falcon /var/log/daemon > /tmp/CrowdStrike/log_daemon.txt and then press Enter.

SLN316278_en_US__48ddpkm2110z

SLN316278_en_US__4icon Note: Linux distributions may not have all listed directories.
  1. Capture all output files within /tmp/CrowdStrike (Step 5) using SSH.

SLN316278_en_US__50ddpkm2110aa

SLN316278_en_US__4icon Note:
  • By default, SSH is disabled on Linux distributions.
  • Once SSH is enabled, third-party software (e.g. PuTTY) can be used to connect to the Linux endpoint.

For support, US-based customers may contact Dell Data Security ProSupport at 877.459.7304, Option 1, Ext. 4310039, or via the Chat Portal. To contact support outside the US, reference ProSupport’s International Contact Numbers. For additional insights and resources, visit the Dell Security Community Forum.

Article Properties


Affected Product

CrowdStrike

Last Published Date

21 Feb 2021

Version

5

Article Type

Solution

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters