How to Collect Logs for the VMware Carbon Black Cloud Endpoint Sensor

Summary: Learn how to collect logs for VMware Carbon Black Cloud Endpoint on Windows, Mac, or Linux by following these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

This article discusses the methods for collecting VMware Carbon Black Cloud Endpoint sensor logs.

Affected Products:

  • VMware Carbon Black Cloud Endpoint

Affected Versions:

  • v3.3.0 and later (Windows)
  • v3.1.0 and later (Mac)
  • v2.5.0 and later (Linux)

Affected Operating Systems:

  • Windows
  • Mac
  • Linux
Note: For information about capturing a HAR file for troubleshooting VMware Carbon Black Cloud, reference How to Capture a HAR File for VMware Carbon Black Cloud.

Click Windows, Mac, or Linux for more information about the log collection process.

Windows

Click the appropriate client version for specific installation steps. Reference How to Identify the VMware Carbon Black Cloud Endpoint Sensor Version for more information.

Note: For information about how to collect Windows logs using Live Response, reference How to Collect VMware Carbon Black Endpoint Sensor Logs Using Live Response.
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.
    Run
  3. In the Run UI, type cmd and then press CTRL+SHIFT+ENTER. This runs Command Prompt as an administrator.
    Run UI
  4. In Command Prompt, type CD [DIRECTORY] and then press Enter.
    Command Prompt command
    Note:
    • [DIRECTORY] = Directory of the VMware Carbon Black Cloud Endpoint sensor
    • The default installation [DIRECTORY] is C:\Program Files\Confer.
  5. Type repcli capture [DESTINATION DIRECTORY] and then press Enter.
    Command Prompt command
    Note: [DESTINATION DIRECTORY] = Target destination for log bundle
  6. In Windows Explorer, go to the [DESTINATION DIRECTORY] used in Step 5.
  7. Right-click psc_sensor.zip and then click Rename.
    Rename
  8. Rename psc_sensor.zip to [MACHINENAME]_psc_sensor.zip.
    Note: [MACHINENAME] = Fully qualified domain name of endpoint
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.
    Run
  3. In the Run UI, type cmd and then press CTRL+SHIFT+ENTER. This runs Command Prompt as an administrator.
    Run UI
  4. In Command Prompt, type CD [DIRECTORY] and then press Enter.
    Command Prompt command
    Note:
    • [DIRECTORY] = Directory of the VMware Carbon Black Cloud Endpoint sensor
    • The default installation [DIRECTORY] is C:\Program Files\Confer.
  5. Type repcli capture and then press Enter.
    Command Prompt command
  6. In Windows Explorer, go to C:\Windows\TEMP\confer-temp.
  7. If prompted for folder access, click Continue. Otherwise go to Step 8.
    UAC prompt
  8. Right-click confer_dump.zip and then click Rename.
    Rename
  9. Rename confer_dump.zip to [MACHINENAME]_confer_dump.zip.
    Note: [MACHINENAME] = Fully qualified domain name of endpoint

Mac

Click the appropriate client version for specific installation steps. Reference How to Identify the VMware Carbon Black Cloud Endpoint Sensor Version for more information.

  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.
    Utilities
  3. Double-click Terminal.
    Terminal
  4. In Terminal, type type sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture [UNINSTALL_CODE] [DESTINATION DIRECTORY] and then press Enter.
    Terminal command
    Note:
  5. Populate the password for sudo and then press Enter.
  6. Go to [DESTINATION DIRECTORY], right-click confer.zip, and then select Rename.
  7. Rename confer.zip to [MACHINENAME]_confer_dump.zip.
    Note: [MACHINENAME] = Fully qualified domain name of endpoint
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.
    Utilities
  3. Double-click Terminal.
    Terminal
  4. In Terminal, type sudo /Applications/Confer.app/uninstall -l [UNINSTALL_CODE] -d [DESTINATION DIRECTORY] and then press Enter.
    Terminal command
    Note:
  5. Populate the password for sudo and then press Enter.
  6. Go to [DESTINATION DIRECTORY], right-click confer.zip, and then select Rename.
  7. Rename confer.zip to [MACHINENAME]_confer_dump.zip.
    Note: [MACHINENAME] = Fully qualified domain name of endpoint

Linux

Click the appropriate client version for specific installation steps. Reference How to Identify the VMware Carbon Black Cloud Endpoint Sensor Version for more information.

  1. Log in to the affected endpoint.
  2. Open Terminal.
    Terminal
    Note: The user interface (UI) layout may differ between Linux distributions.
  3. In Terminal, type su root and then press Enter.
  4. Populate the password for root and then press Enter.
    Terminal command
  5. Type sudo /opt/carbonblack/psc/bin/collectdiags.sh and then press Enter.
  6. Retrieve the log from /tmp. The filename is in the format diags_[HOSTNAME]_[EPOCH_TIME]_[RANDOM].tgz
  1. Log in to the affected endpoint.
  2. Open Terminal.
    Terminal
    Note: The user interface (UI) layout may differ between Linux distributions.
  3. In Terminal, type su root and then press Enter.
  4. Populate the password for root and then press Enter.
    Terminal command
  5. Type sudo tar cvf $(hostname –long)_$(date +"%Y-%b-%d_%H-%M-$S")_logs.tgz /var/opt/carbonblack/psc/log and then press Enter.
  6. Retrieve the log from /var/opt/carbonblack/psc/log.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

VMware Carbon Black
Article Properties
Article Number: 000125504
Article Type: How To
Last Modified: 16 Dec 2024
Version:  23
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.