Перейти к основному содержимому
  • Простое и быстрое размещение заказов
  • Просмотр заказов и отслеживание состояния доставки
  • Создание списка продуктов и доступ к нему

How to Collect VMware Carbon Black Endpoint Sensor Logs Using Live Response

Сводка: VMware Carbon Black Endpoint Sensor logs may be collected remotely with Live Response by following these instructions.

Данная статья применяется к Данная статья не применяется к Эта статья не привязана к какому-либо конкретному продукту. В этой статье указаны не все версии продуктов.

Симптомы

How to collect VMware Carbon Black Endpoint and Carbon Black Defense logs remotely using the Live Response Feature in the VMware Carbon Black Cloud Console.


Affected Products:

  • VMware Carbon Black Endpoint

Affected Versions:

  • v3.4 and Later

Affected Operating Systems:

  • Windows

Причина

Not applicable

Разрешение

VMware Carbon Black Cloud's Live Response feature is a method to collect sensor logs remotely from Microsoft Windows endpoints to provide to support for troubleshooting.

Ensure that the Live Response policy is enabled for the endpoint. The default setting is Disabled.

To collect logs using Live Response, an administrator must first Enable Policy, Run Live Response, and then Download Logs. Click the appropriate action for more information.

Note: This article focuses on how to collect logs using the Live Response feature. For more information about how to collect logs manually for all operating systems, reference How to Collect Logs for the VMware Carbon Black Cloud Endpoint Sensor.

Enable Policy

To verify that the policy is enabled:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

VMware Carbon Black Cloud sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select a policy.

Policy selection

  1. Click the Sensor tab and verify that Enable Live Response is selected.

Enable Live Response

Run Live Response

Running Live Response differs based on the version of VMware Carbon Black Cloud Endpoint Sensor. Click the appropriate version for more information.

Note: For more information about identifying the version, reference How to Identify the VMware Carbon Black Cloud Endpoint Sensor Version.

To use Live Response with version 3.6 and later:

  1. In the left menu pane, click Endpoints.

Endpoints

  1. In the All Sensors user interface (UI):
    1. Locate the appropriate Device Name.
    2. Click the drop-down box under Actions.
    3. Click Live Response.

All Sensors user interface

  1. Once Live Response connects, type cd c:\program files\confer and then press Enter.

Changing directory in Live Response

  1. Type execfg cmd /c repcli capture “[PATH]” and then press Enter. This runs the RepCLI Utility to capture logging.

Capturing logging in Live Response

Note: [PATH] = The absolute path of the log destination folder

Once the capture is complete, a prompt indicates that captured logs are placed in the specified destination folder with a file name of psc_sensor.zip

Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

To use Live Response with version 3.4 to 3.5:

  1. In the left menu pane, click Endpoints.

Endpoints

  1. In the All Esensors user interface (UI):
    1. Locate the appropriate Device Name.
    2. Click the drop-down box under Actions.
    3. Click Live Response.

All Sensors user interface

  1. Once Live Response connects, type cd c:\program files\confer and then press Enter.

Changing directory in Live Response

  1. Type execfg repcli capture and then press Enter. This runs the RepCLI Utility to capture logging.

Capturing logging in Live Response

Once the capture is complete, a prompt indicates that captured logs are placed in C:\Windows\Temp\cb-temp with a file name of psc_sensor.zip

Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

Download Logs

To download logs:

  1. Type cd C:\Windows\Temp\cb-temp and then press Enter.
Note: If only the confer.log is required, it can be directly collected by browsing to C:\Program Files\Confer, typing get confer.log, and then pressing Enter.
  1. Type get psc_sensor.zip and then press Enter.

Getting file using Live Response

  1. The file downloads to your local computer with an alphanumeric filename. Rename the file to add a .zip extension.
Note:
  • Example alphanumeric filename: 36355d97-18f4-416e-be8f-473bda7c30fb.
  • Example renamed filename: SensorCapture.zip.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Дополнительная информация

 

Видео

 

Затронутые продукты

VMware Carbon Black
Свойства статьи
Номер статьи: 000175263
Тип статьи: Solution
Последнее изменение: 03 Feb 2023
Версия:  18
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.