There are options for the Carbon Black EDR initialization file that you can use for daemon debugging.
Debugging Parameters for 6.1.x Sensors
For 6.1.x version sensors, there are options for the Carbon Black EDR initialization file that you can use for daemon debugging. This file is located at /var/lib/cb/sensorsettings.ini.
When you set one or both of these options, you can use SIGHUP to reread the sensorsettings.ini file and update the log settings.
$ sudo killall cbdaemon -SIGHUP
The two debugging options are:
- DaemonLogLevel — You can set this to any of the following: Error, Warning, Info, Debug1, Debug2, Debug3, Debug4, Debug5. DaemonLogLevel is not set in the ini file. The default DaemonLogLevel is Warning.
- SensorLogLevel — This option is a string value in the form:
<base level>[/<extra level>[/..]]
where the possible values of <base level> are Error, Warning, Info, and Debug, and the possible values of <extra level> are Hook, Request, Entry, Exit, Comms, and Trace.
In most cases only <base level> will need to be set. If SensorLogLevel is not set in the ini file, the default value is Warning.
- Due to the additional granularity now available in the daemon, many of the debugging messages have been decreased in priority.
- The Info level can provide a good overview of observed events without providing excessive output.
- Some of the log messages are more uniform. The most notable change is that "FILE EVENT" messages now display the type of file event as a string instead of an integer value. For example, "FILE_OPEN EVENT" and "FILE_CLOSE EVENT".
Debugging Parameters for 6.2.x Sensors and Later
For sensors at version 6.2.1 and later, use the preceding procedures described for daemon debugging, noting the following changes:
- The initialization file that you edit is in a different location than earlier sensors: /var/opt/carbonblack/response/sensorsettings.ini
- The DaemonLogLevel values were changed for the 6.2.x sensor. The new levels are: None, Error, Warning, Info, and Verbose.
- As of version 6.2.2, SensorLogLevel is no longer a valid option and will be ignored.