Omitir para ir al contenido principal
  • Hacer pedidos rápida y fácilmente
  • Ver pedidos y realizar seguimiento al estado del envío
  • Cree y acceda a una lista de sus productos
Es posible que algunos números de artículo hayan cambiado. Si esto no es lo que está buscando, intente buscar todos los artículos. Buscar artículos

How to Collect CrowdStrike Falcon Sensor Logs

Resumen: Learn how to collect CrowdStrike Falcon Sensor logs for troubleshooting. Step-by-step guides are available for Windows, Mac, and Linux.

Este artículo se aplica a Este artículo no se aplica a Este artículo no está vinculado a ningún producto específico. No se identifican todas las versiones del producto en este artículo.

Síntomas

This article discusses the methods for collecting logs for the CrowdStrike Falcon Sensor.


Affected Products:

  • CrowdStrike Falcon Sensor

Affected Operating Systems:

  • Windows
  • Mac
  • Linux

Causa

Not applicable

Resolución

It is highly recommended to collect logs before troubleshooting CrowdStrike Falcon Sensor or contacting Dell support.

Note: For more information about contacting Dell support, reference Dell Data Security International Support Phone Numbers.

Click Windows, Mac, or Linux for relevant logging information.

A user can troubleshoot CrowdStrike Falcon Sensor on Windows by manually collecting logs for:

  • MSI logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate logging type for more information.

MSI

  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type either:
    • If installed by user: %LOCALAPPDATA%\Temp and then click OK.
    • If Installed by auto update: %SYSTEMROOT%\Temp and then click OK.

Run UI

  1. Collect:
    • CrowdStrike Window Sensor_[TIMESTAMP]_[BIT].log
    • CrowdStrike Window Sensor_[TIMESTAMP].log

Image depicts example log files.

Note:
  • [TIMESTAMP] = Date & time of Installation
  • [BIT] = Represents either Agent32 or Agent64

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise, go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Double-click AFLAGS.

AFLAGS in the registry

  1. Press Delete, type 03, and then click OK.

Edit Binary Value screen

  1. Click File and then select Exit.

Exiting Registry Editor

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type eventvwr and then click OK.

Run UI

  1. In Event Viewer, expand Windows Logs and then click System.

Windows Logs and System

  1. Right-click the System log and then select Filter Current Log.

Filter Current Log

  1. Set the Source to CSAgent.

Setting Event Source to CSAgent

  1. Right-click the System log and then select Save Filtered Log File As.

Save Filtered Log File As

  1. Change File Name to CrowdStrike_[WORKSTATIONNAME].evtx and then click Save.

Changing file name and saving

Note: Dell Technologies recommends specifying the [WORKSTATIONNAME] in case the issue is happening on multiple endpoints.
Disable
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Press Delete, type 0, and then click OK.

Edit Binary Value

  1. Click File and then select Exit.

Exiting the registry

A user can troubleshoot CrowdStrike Falcon Sensor on Mac by collecting:

  • Install logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate log type for more information.

Install

CrowdStrike Falcon Sensor uses the native install.log to document install information.

  1. From the Apple menu, click Go and then select Go to Folder.

Go to Folder

  1. Type /var/log and then click Go.

Go to Folder UI

  1. Copy Install.log to a readily available location for further investigation.

install.log

Note: Dell Technologies recommends searching for "CrowdStrike" to ensure that the information is relevant to CrowdStrike.

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=3 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Confirm cs.feature=3.

Terminal UI

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo /Library/CS/falconctl diagnose and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. After several minutes, falconctl_diagnose.tgz will be generated in /private/tmp.
Disable
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=0 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. Confirm cs.feature=0.

Terminal UI

  1. Log in to the affected endpoint.
  2. Open the Linux Terminal.

Terminal

Note: The user interface (UI) layout may differ between Linux distributions.
  1. In Terminal, type su root and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Type sudo mkdir /tmp/CrowdStrike and then press Enter.

Terminal making directory

Note: The example /tmp/CrowdStrike directory can be modified in your environment.
  1. Type sudo grep falcon /var/log/messages > /tmp/CrowdStrike/log_messages.txt and then press Enter.
  2. Type sudo grep falcon /var/log/syslog > /tmp/CrowdStrike/log_syslog.txt and then press Enter.
  3. Type sudo grep falcon /var/log/rsyslog > /tmp/CrowdStrike/log_rsyslog.txt and then press Enter.
  4. Type sudo grep falcon /var/log/daemon > /tmp/CrowdStrike/log_daemon.txt and then press Enter.

Terminal UI

Note: Linux distributions may not have all listed directories.
  1. Capture all output files within /tmp/CrowdStrike (Step 5) using SSH.

Terminal capturing output

Note:
  • By default, SSH is disabled on Linux distributions.
  • Once SSH is enabled, third-party software (such as PuTTY) can be used to connect to the Linux endpoint.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Productos afectados

CrowdStrike
Propiedades del artículo
Número del artículo: 000178209
Tipo de artículo: Solution
Última modificación: 01 feb 2024
Versión:  17
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.