How to Collect CrowdStrike Falcon Sensor Logs

Summary: Learn how to collect CrowdStrike Falcon Sensor logs for troubleshooting. Step-by-step guides are available for Windows, Mac, and Linux.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

This article discusses the methods for collecting logs for the CrowdStrike Falcon Sensor.

Affected Products:

  • CrowdStrike Falcon Sensor

Affected Operating Systems:

  • Windows
  • Mac
  • Linux

Cause

Not applicable

Resolution

It is highly recommended to collect logs before troubleshooting CrowdStrike Falcon Sensor or contacting Dell support.

Note: For more information about contacting Dell support, reference Dell Data Security International Support Phone Numbers.

Click Windows, Mac, or Linux for relevant logging information.

A user can troubleshoot CrowdStrike Falcon Sensor on Windows by manually collecting logs for:

  • MSI logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate logging type for more information.

MSI

  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type either:
    • If installed by user: %LOCALAPPDATA%\Temp and then click OK.
    • If Installed by auto update: %SYSTEMROOT%\Temp and then click OK.

Run UI

  1. Collect:
    • CrowdStrike Window Sensor_[TIMESTAMP]_[BIT].log
    • CrowdStrike Window Sensor_[TIMESTAMP].log

Image depicts example log files.

Note:
  • [TIMESTAMP] = Date & time of Installation
  • [BIT] = Represents either Agent32 or Agent64

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise, go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Double-click AFLAGS.

AFLAGS in the registry

  1. Press Delete, type 03, and then click OK.

Edit Binary Value screen

  1. Click File and then select Exit.

Exiting Registry Editor

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type eventvwr and then click OK.

Run UI

  1. In Event Viewer, expand Windows Logs and then click System.

Windows Logs and System

  1. Right-click the System log and then select Filter Current Log.

Filter Current Log

  1. Set the Source to CSAgent.

Setting Event Source to CSAgent

  1. Right-click the System log and then select Save Filtered Log File As.

Save Filtered Log File As

  1. Change File Name to CrowdStrike_[WORKSTATIONNAME].evtx and then click Save.

Changing file name and saving

Note: Dell Technologies recommends specifying the [WORKSTATIONNAME] in case the issue is happening on multiple endpoints.
Disable
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Press Delete, type 0, and then click OK.

Edit Binary Value

  1. Click File and then select Exit.

Exiting the registry

A user can troubleshoot CrowdStrike Falcon Sensor on Mac by collecting:

  • Install logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate log type for more information.

Install

CrowdStrike Falcon Sensor uses the native install.log to document install information.

  1. From the Apple menu, click Go and then select Go to Folder.

Go to Folder

  1. Type /var/log and then click Go.

Go to Folder UI

  1. Copy Install.log to a readily available location for further investigation.

install.log

Note: Dell Technologies recommends searching for "CrowdStrike" to ensure that the information is relevant to CrowdStrike.

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=3 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Confirm cs.feature=3.

Terminal UI

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo /Library/CS/falconctl diagnose and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. After several minutes, falconctl_diagnose.tgz will be generated in /private/tmp.
Disable
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=0 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. Confirm cs.feature=0.

Terminal UI

  1. Log in to the affected endpoint.
  2. Open the Linux Terminal.

Terminal

Note: The user interface (UI) layout may differ between Linux distributions.
  1. In Terminal, type su root and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Type sudo mkdir /tmp/CrowdStrike and then press Enter.

Terminal making directory

Note: The example /tmp/CrowdStrike directory can be modified in your environment.
  1. Type sudo grep falcon /var/log/messages > /tmp/CrowdStrike/log_messages.txt and then press Enter.
  2. Type sudo grep falcon /var/log/syslog > /tmp/CrowdStrike/log_syslog.txt and then press Enter.
  3. Type sudo grep falcon /var/log/rsyslog > /tmp/CrowdStrike/log_rsyslog.txt and then press Enter.
  4. Type sudo grep falcon /var/log/daemon > /tmp/CrowdStrike/log_daemon.txt and then press Enter.

Terminal UI

Note: Linux distributions may not have all listed directories.
  1. Capture all output files within /tmp/CrowdStrike (Step 5) using SSH.

Terminal capturing output

Note:
  • By default, SSH is disabled on Linux distributions.
  • Once SSH is enabled, third-party software (such as PuTTY) can be used to connect to the Linux endpoint.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

CrowdStrike
Article Properties
Article Number: 000178209
Article Type: Solution
Last Modified: 01 Feb 2024
Version:  17
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.