Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

How to Collect VMware Carbon Black Endpoint Sensor Logs Using Live Response

Summary: VMware Carbon Black Endpoint Sensor logs may be collected remotely with Live Response by following these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

How to collect VMware Carbon Black Endpoint and Carbon Black Defense logs remotely using the Live Response Feature in the VMware Carbon Black Cloud Console.

Affected Products:

  • VMware Carbon Black Endpoint

Affected Versions:

  • v3.4 and Later

Affected Operating Systems:

  • Windows

Cause

Not applicable

Resolution

VMware Carbon Black Cloud's Live Response feature is a method to collect sensor logs remotely from Microsoft Windows endpoints to provide to support for troubleshooting.

Ensure that the Live Response policy is enabled for the endpoint. The default setting is Disabled.

To collect logs using Live Response, an administrator must first Enable Policy, Run Live Response, and then Download Logs. Click the appropriate action for more information.

Note: This article focuses on how to collect logs using the Live Response feature. For more information about how to collect logs manually for all operating systems, reference How to Collect Logs for the VMware Carbon Black Cloud Endpoint Sensor.

Enable Policy

To verify that the policy is enabled:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

VMware Carbon Black Cloud sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select a policy.

Policy selection

  1. Click the Sensor tab and verify that Enable Live Response is selected.

Enable Live Response

Run Live Response

Running Live Response differs based on the version of VMware Carbon Black Cloud Endpoint Sensor. Click the appropriate version for more information.

Note: For more information about identifying the version, reference How to Identify the VMware Carbon Black Cloud Endpoint Sensor Version.

To use Live Response with version 3.6 and later:

  1. In the left menu pane, click Endpoints.

Endpoints

  1. In the All Sensors user interface (UI):
    1. Locate the appropriate Device Name.
    2. Click the drop-down box under Actions.
    3. Click Live Response.

All Sensors user interface

  1. Once Live Response connects, type cd c:\program files\confer and then press Enter.

Changing directory in Live Response

  1. Type execfg cmd /c repcli capture “[PATH]” and then press Enter. This runs the RepCLI Utility to capture logging.

Capturing logging in Live Response

Note: [PATH] = The absolute path of the log destination folder

Once the capture is complete, a prompt indicates that captured logs are placed in the specified destination folder with a file name of psc_sensor.zip

Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

To use Live Response with version 3.4 to 3.5:

  1. In the left menu pane, click Endpoints.

Endpoints

  1. In the All Esensors user interface (UI):
    1. Locate the appropriate Device Name.
    2. Click the drop-down box under Actions.
    3. Click Live Response.

All Sensors user interface

  1. Once Live Response connects, type cd c:\program files\confer and then press Enter.

Changing directory in Live Response

  1. Type execfg repcli capture and then press Enter. This runs the RepCLI Utility to capture logging.

Capturing logging in Live Response

Once the capture is complete, a prompt indicates that captured logs are placed in C:\Windows\Temp\cb-temp with a file name of psc_sensor.zip

Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

Download Logs

To download logs:

  1. Type cd C:\Windows\Temp\cb-temp and then press Enter.
Note: If only the confer.log is required, it can be directly collected by browsing to C:\Program Files\Confer, typing get confer.log, and then pressing Enter.
  1. Type get psc_sensor.zip and then press Enter.

Getting file using Live Response

  1. The file downloads to your local computer with an alphanumeric filename. Rename the file to add a .zip extension.
Note:
  • Example alphanumeric filename: 36355d97-18f4-416e-be8f-473bda7c30fb.
  • Example renamed filename: SensorCapture.zip.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Additional Information

 

Videos

 

Affected Products

VMware Carbon Black
Article Properties
Article Number: 000175263
Article Type: Solution
Last Modified: 03 Feb 2023
Version:  18
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.