You can collect diagnostic data logs using the sensordiags.exe tool.

Each collection overwrites the previous collection. If you must collect multiple diagnostics, move the current collection to a directory that is outside the C:\Windows\CarbonBlack\Diags path.

If the server has diagnostic collection enabled under Shared Settings, the sensor automatically sends any logs from C:\Windows\CarbonBlack\diags\. If the upload succeeds, they are deleted locally.

Prerequisites

Requirements:

  • EDR Windows sensors 6.2.2 and later
  • Microsoft .NET 4.5 and later

Procedure

  1. Open a command prompt window as Administrator.
  2. Change directory to C:\Windows\CarbonBlack.
  3. Run the diagnostic tool:
    sensordiag.exe --type CDE
    Where type is:
    • C: Crash - Returns crash reports for Carbon Black user-mode service.
    • D: Diagnostics - Returns information about the sensor. Includes the contents of all subfolders of C:\Windows\CarbonBlack, and install information and metadata about the sensor driver status.
    • E: Environment - Collects system-wide information through WMI queries.
    Command line switches:
    • -type This is the only mandatory parameter. Must be some combination of C,D, and E. For example: sensordiag --type CE
    • -startdate yyyy-mm-dd [hh:mm:ss] Only collects logs modified after a certain date/time. For example: sensordiag --type CE --startdate 2019-02-04 09:00:00
    • -enddate yyyy-mm-dd [hh:mm:ss] Only collects logs modified before a certain date/time. This parameter can be used in conjunction with the startdate parameter. Example: sensordiag --type CE --enddate 2019-02-10
    • -remember Only collects logs modified since the last sensordiags was run. You cannot use startdate or enddate together with remember. Example: sensordiag --type CDE -remember
    • -output C:\path\to\diag - Set the output directory to an alternative to the working directory.
  4. Collect the C:\Windows\CarbonBlack\diags\<filename>.zip file.
  5. Send the diagnostic files to VMware Carbon Black Support using CBVault.