Live Response activity is logged on both the Carbon Black EDR server running Live Response and the sensors that it accesses.
For any sensor that is accessed by Live Response, commands executed during the session are logged in the sensor.log file, which is located in the Carbon Black EDR sensor installation folder on the endpoint.
On the Carbon Black EDR server, Live Response activity can be reviewed in the following files:
- /var/log/cb/liveresponse/debug.log – Begin troubleshooting a Live Response issue here. This log contains debug information that is related to the functional operation of the Live Response components and communication between sensor and server.
- /etc/cb/liveresponse-logger.conf – You can change the level of information in the debug.log .
- /var/log/cb/audit/live-response.log – This file audits Live Response activity. It keeps a log of all commands that are executed on an endpoint, the sensor ID, IP address, and hostname of the endpoint, and the username and account of the user who executed each command.
- /var/cb/data/liveresponse – This directory stores “get” and “put” files. It also contains the output of all executed commands. For example, if you perform a process listing, the list goes into this directory in JSON format. If you download a file (for example, using the archive command), it appears in this directory (under
/tmp
) and on the host that is running the Carbon Black EDR browser.
You can change the length of time that Live Response data is retained by editing the CbLrDefaultSessionTTLDays
parameter in the cb.conf file. By default, this setting is 7 days. See the VMware Carbon Black EDR Server Configuration Guide.