跳转至主要内容
  • 快速、轻松地下订单
  • 查看订单并跟踪您的发货状态
  • 创建并访问您的产品列表

How to Collect CrowdStrike Falcon Sensor Logs

摘要: Learn how to collect CrowdStrike Falcon Sensor logs for troubleshooting. Step-by-step guides are available for Windows, Mac, and Linux.

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。

症状

This article discusses the methods for collecting logs for the CrowdStrike Falcon Sensor.


Affected Products:

  • CrowdStrike Falcon Sensor

Affected Operating Systems:

  • Windows
  • Mac
  • Linux

原因

Not applicable

解决方案

It is highly recommended to collect logs before troubleshooting CrowdStrike Falcon Sensor or contacting Dell support.

Note: For more information about contacting Dell support, reference Dell Data Security International Support Phone Numbers.

Click Windows, Mac, or Linux for relevant logging information.

A user can troubleshoot CrowdStrike Falcon Sensor on Windows by manually collecting logs for:

  • MSI logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate logging type for more information.

MSI

  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type either:
    • If installed by user: %LOCALAPPDATA%\Temp and then click OK.
    • If Installed by auto update: %SYSTEMROOT%\Temp and then click OK.

Run UI

  1. Collect:
    • CrowdStrike Window Sensor_[TIMESTAMP]_[BIT].log
    • CrowdStrike Window Sensor_[TIMESTAMP].log

Image depicts example log files.

Note:
  • [TIMESTAMP] = Date & time of Installation
  • [BIT] = Represents either Agent32 or Agent64

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise, go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Double-click AFLAGS.

AFLAGS in the registry

  1. Press Delete, type 03, and then click OK.

Edit Binary Value screen

  1. Click File and then select Exit.

Exiting Registry Editor

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type eventvwr and then click OK.

Run UI

  1. In Event Viewer, expand Windows Logs and then click System.

Windows Logs and System

  1. Right-click the System log and then select Filter Current Log.

Filter Current Log

  1. Set the Source to CSAgent.

Setting Event Source to CSAgent

  1. Right-click the System log and then select Save Filtered Log File As.

Save Filtered Log File As

  1. Change File Name to CrowdStrike_[WORKSTATIONNAME].evtx and then click Save.

Changing file name and saving

Note: Dell Technologies recommends specifying the [WORKSTATIONNAME] in case the issue is happening on multiple endpoints.
Disable
  1. Log in to the affected endpoint.
  2. Right-click the Windows start menu and then select Run.

Run

  1. In the Run user interface (UI), type regedit and then press CTRL+SHIFT+ENTER to run the Registry Editor as an administrator.

Run UI

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise go to Step 5.

User Account Control prompt

  1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default].

Registry

  1. Press Delete, type 0, and then click OK.

Edit Binary Value

  1. Click File and then select Exit.

Exiting the registry

A user can troubleshoot CrowdStrike Falcon Sensor on Mac by collecting:

  • Install logs: Used to troubleshoot installation issues.
  • Product logs: Used to troubleshoot activation, communication, and behavior issues.

Click the appropriate log type for more information.

Install

CrowdStrike Falcon Sensor uses the native install.log to document install information.

  1. From the Apple menu, click Go and then select Go to Folder.

Go to Folder

  1. Type /var/log and then click Go.

Go to Folder UI

  1. Copy Install.log to a readily available location for further investigation.

install.log

Note: Dell Technologies recommends searching for "CrowdStrike" to ensure that the information is relevant to CrowdStrike.

Product

It is recommended to Enable verbosity and then reproduce the issue before the Capture of product logs. Once the issue is resolved, it is recommended to Disable verbosity. Click the appropriate process for more information.

Enable
Warning:
  • Dell Technologies recommends enabling verbosity only when troubleshooting an issue.
  • Dell Technologies recommends disabling verbosity after the issue is resolved.
  • Endpoints may experience performance degradation while verbosity is enabled.
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=3 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Confirm cs.feature=3.

Terminal UI

Note: Once logging is enabled, reproduce the issue.
Capture
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo /Library/CS/falconctl diagnose and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. After several minutes, falconctl_diagnose.tgz will be generated in /private/tmp.
Disable
  1. Log in to the affected endpoint.
  2. In the Apple menu, click Go and then select Utilities.

Utilities

  1. Double-click Terminal.

Terminal

  1. In Terminal, type sudo sysctl cs.feature=0 and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating the sudo password

  1. Confirm cs.feature=0.

Terminal UI

  1. Log in to the affected endpoint.
  2. Open the Linux Terminal.

Terminal

Note: The user interface (UI) layout may differ between Linux distributions.
  1. In Terminal, type su root and then press Enter.
  2. Populate the password for sudo, and then press Enter.

Terminal populating sudo password

  1. Type sudo mkdir /tmp/CrowdStrike and then press Enter.

Terminal making directory

Note: The example /tmp/CrowdStrike directory can be modified in your environment.
  1. Type sudo grep falcon /var/log/messages > /tmp/CrowdStrike/log_messages.txt and then press Enter.
  2. Type sudo grep falcon /var/log/syslog > /tmp/CrowdStrike/log_syslog.txt and then press Enter.
  3. Type sudo grep falcon /var/log/rsyslog > /tmp/CrowdStrike/log_rsyslog.txt and then press Enter.
  4. Type sudo grep falcon /var/log/daemon > /tmp/CrowdStrike/log_daemon.txt and then press Enter.

Terminal UI

Note: Linux distributions may not have all listed directories.
  1. Capture all output files within /tmp/CrowdStrike (Step 5) using SSH.

Terminal capturing output

Note:
  • By default, SSH is disabled on Linux distributions.
  • Once SSH is enabled, third-party software (such as PuTTY) can be used to connect to the Linux endpoint.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

受影响的产品

CrowdStrike
文章属性
文章编号: 000178209
文章类型: Solution
上次修改时间: 01 2月 2024
版本:  17
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。