メイン コンテンツに進む
ログアウト

Dellへようこそ

マイアカウント
  • すばやく簡単にご注文が可能
  • 注文内容の表示、配送状況をトラック
  • 会員限定の特典や割引のご利用
  • 製品リストの作成とアクセスが可能
  • 「Company Administration(会社情報の管理)」では、お使いのDell EMCのサイトや製品、製品レベルでのコンタクト先に関する情報を管理できます。
ログイン アカウントの新規作成 プレミアログイン パートナー プログラム サインイン
お問い合わせ

Dell.comカート

文書番号: 000178209

How to Collect CrowdStrike Falcon Sensor Logs

概要: Learn how to collect CrowdStrike Falcon Sensor logs for troubleshooting. Step-by-step guides are available for Windows, Mac, and Linux.

この記事は自動翻訳されたものである可能性があります。品質に関するフィードバックがある場合は、このページの下部にあるフォームを使用してお知らせください。

文書の内容

現象

This article discusses the methods for collecting logs for the CrowdStrike Falcon Sensor.

Affected Products:

  • CrowdStrike Falcon Sensor

Affected Operating Systems:

  • Windows
  • Mac
  • Linux

原因

Not applicable

解決方法

It is highly recommended to collect logs before troubleshooting CrowdStrike Falcon Sensor or contacting Dell support.

Note: For more information about contacting Dell support, reference Dell Data Security International Support Phone Numbers.

Click Windows, Mac, or Linux for relevant logging information.

A user can troubleshoot CrowdStrike Falcon Sensor on Windows by manually collecting logs for:

  • MSI logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate logging type for more information.

MSI

  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type either:
    • If installed by user: %LOCALAPPDATA%\Temp and then click OK.
    • If Installed by auto update: %SYSTEMROOT%\Temp and then click OK.

Run UI

  1. Collect:
    • CrowdStrike Window Sensor_[TIMESTAMP]_[BIT].log
    • CrowdStrike Window Sensor_[TIMESTAMP].log

Image depicts example log files.

Note:
  • [TIMESTAMP] = Date & time of Installation
  • [BIT] = Represents either Agent32 or Agent64

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise, go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Double-click AFLAGS.

AFLAGS in the registry

  1. Press Delete, type 03, and then click OK.

Edit Binary Value screen

  1. Click File and then select Exit.

Exiting Registry Editor

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type eventvwr and then click OK.

Run UI

  1. In Event Viewer, expand Windows Logs and then click System.

Windows Logs and System

  1. Right-click the System log and then select Filter Current Log.

Filter Current Log

  1. Set the Source to CSAgent.

Setting Event Source to CSAgent

  1. Right-click the System log and then select Save Filtered Log File As.

Save Filtered Log File As

  1. Change File Name to CrowdStrike_[WORKSTATIONNAME].evtx and then click Save.

Changing file name and saving

Note: Dell Technologies recommends specifying the [WORKSTATIONNAME] in case the issue is happening on multiple endpoints.
Disable
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Press Delete, type 0, and then click OK.

Edit Binary Value

  1. Click File and then select Exit.

Exiting the registry

A user can troubleshoot CrowdStrike Falcon Sensor on Mac by collecting:

  • Install logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate log type for more information.

Install

CrowdStrike Falcon Sensor uses the native install.log to document install information.

  1. From the Apple menu, click Go and then select Go to Folder.

Go to Folder

  1. Type /var/log and then click Go.

Go to Folder UI

  1. Copy Install.log to a readily available location for further investigation.

install.log

Note: Dell Technologies recommends searching for "CrowdStrike" to ensure that the information is relevant to CrowdStrike.

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=3 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Confirm cs.feature=3.

Terminal UI

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo /Library/CS/falconctl diagnose and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. After several minutes, falconctl_diagnose.tgz will be generated in /private/tmp.
Disable
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=0 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. Confirm cs.feature=0.

Terminal UI

  1. Log in to the affected endpoint.
  2. Open the Linux Terminal.

Terminal

Note: The user interface (UI) layout may differ between Linux distributions.
  1. In Terminal, type su root and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Type sudo mkdir /tmp/CrowdStrike and then press Enter.

Terminal making directory

Note: The example /tmp/CrowdStrike directory can be modified in your environment.
  1. Type sudo grep falcon /var/log/messages > /tmp/CrowdStrike/log_messages.txt and then press Enter.
  2. Type sudo grep falcon /var/log/syslog > /tmp/CrowdStrike/log_syslog.txt and then press Enter.
  3. Type sudo grep falcon /var/log/rsyslog > /tmp/CrowdStrike/log_rsyslog.txt and then press Enter.
  4. Type sudo grep falcon /var/log/daemon > /tmp/CrowdStrike/log_daemon.txt and then press Enter.

Terminal UI

Note: Linux distributions may not have all listed directories.
  1. Capture all output files within /tmp/CrowdStrike (Step 5) using SSH.

Terminal capturing output

Note:
  • By default, SSH is disabled on Linux distributions.
  • Once SSH is enabled, third-party software (such as PuTTY) can be used to connect to the Linux endpoint.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

文書のプロパティ

影響を受ける製品

CrowdStrike

最後に公開された日付

01 2月 2024

バージョン

17

文書の種類

Solution

トップに戻る