The following table shows the Carbon Black EDR server logs in /var/log/cb that are organized into subdirectories by component.
| Component |
Description |
|---|---|
| allianceclient |
The Alliance client communicates with the Carbon Black EDR Alliance server. |
| audit |
Contains log files for the following activities: banning, sensor isolation, and live response. If |
| cbfs |
Was the location of the datastore engine in earlier versions of Carbon Black EDR, but is no longer used in versions 5.0.0 and later. |
| cbfs-http |
Contains log files of the second generation Java datastore engine. |
| cli |
Contains events pertaining to the Carbon Black EDR service commands used at the server console level. |
| coreservices |
Provides access to functionality via web APIs to both the web interface and sensors. Nearly all interface issues should result in log entries for coreservices. |
| sensorservices |
Provides entry-point for sensor registrations and checkins. Look for issues here if there are problems with sensor connectivity |
| datastore |
Used for core event data processing and managing incoming sensor data. |
| enterprise |
Used for event logging of the Carbon Black EDR service. |
| job-runner |
The Carbon Black EDR server uses cron jobs to provide various scheduled maintenance, data trimming, and similar tasks. |
| liveresponse |
Used to hold Live Response session-related events. |
| nginx |
The reverse proxy and SSL termination point for the Carbon Black EDR server. |
| notifications |
The location of the syslog output for feeds and watchlists. |
| pgsql |
The Carbon Black EDR server uses Postgres SQL to store administrative data. Event data gathered from the sensors is not stored in Posgres. |
| rabbitmq |
The logging location for the rabbitmq component of the Carbon Black EDR server. |
| redis |
The logging location for the redis component of the Carbon Black EDR server. |
| services |
The logging location for the start/stop services of the Carbon Black EDR server. |
| solr |
Used for indexes and stores data. |
| supervisord |
The supervisord process utility is used to manage Carbon Black EDR server processes, handling startup and shutdown dependencies between the various server components and services. |
The following table shows the diagnostic scripts found in/usr/share/cb.
| Component |
Description |
|---|---|
| cbbanning |
Assists in managing the Carbon Black EDR server banning features. To get a list of available commands, run this command: |
| cbstats |
This utility provides access to the statistics collected by the Carbon Black EDR server. |
| cbsyslog |
Provides an interface for testing Carbon Black EDR’s notifications syslog output. |
| cbpost |
This utility is used to send file(s) to the Alliance server; typically used during interaction with Carbon Black Technical Support. |
| py_runtime_info |
Generates a runtime report that shows the stack trace, process memory map, and open file descriptors for the running Carbon Black EDR processes. |
| cbfeed_scrubber |
Helps clean up feed tags on existing Solr documents. |
| cbinit |
Used to configure a combination of initial settings during a Carbon Black EDR server installation. |
| cbdiag |
Dumps verbose troubleshooting information, including logs and configuration, to a gzip archive. This file can be analyzed offline or provided to Carbon Black with support requests. |
| sql_stats |
Contains outputs of various SQL database statistics; typically used during troubleshooting. |
| cbsolr |
Used for indexes and stores data. |
| cbget |
This utility is used to download or list files from Alliance server; typically used during interaction with Carbon Black Technical Support. |
| sensor_report |
Generates a report that shows the status of every sensor communicating with Carbon Black EDR server. Optionally, it can be used to identify specific sensors that might require the attention of IT support personnel. |
| cbcheck |
Assists in troubleshooting Carbon Black EDR server installation. To get a list of available commands, run this command: to learn more about a specific command, run this command: |
| cbcluster |
Used to manage clusters (not a diagnostic tool). |
| cb_rabbitmq-server.sh |
This is a system utility and should never be run manually. |
| cbrabbitmqctl |
A command-line interface that provides access to the Carbon Black EDR rabbitmq service. |
| pgsql_diag.sh |
Prints diagnostic info about the CBER Postgres database |
| cbpasswd |
Resets user’s password. Can only be run as root. |
