The following table shows the Carbon Black EDR server logs in /var/log/cb that are organized into subdirectories by component.

Component

Description

allianceclient

The Alliance client communicates with the Carbon Black EDR Alliance server.

audit

Contains log files for the following activities: banning, sensor isolation, and live response. If EnableExtendedApiAuditLogging is enabled in cb.conf , this directory also includes a user activity log file based on user-generated API calls in the console.

cbfs

Was the location of the datastore engine in earlier versions of Carbon Black EDR, but is no longer used in versions 5.0.0 and later.

cbfs-http

Contains log files of the second generation Java datastore engine.

cli

Contains events pertaining to the Carbon Black EDR service commands used at the server console level.

coreservices

Provides access to functionality via web APIs to both the web interface and sensors. Nearly all interface issues should result in log entries for coreservices.

sensorservices

Provides entry-point for sensor registrations and checkins. Look for issues here if there are problems with sensor connectivity

datastore

Used for core event data processing and managing incoming sensor data.

enterprise

Used for event logging of the Carbon Black EDR service.

job-runner

The Carbon Black EDR server uses cron jobs to provide various scheduled maintenance, data trimming, and similar tasks.

liveresponse

Used to hold Live Response session-related events.

nginx

The reverse proxy and SSL termination point for the Carbon Black EDR server.

notifications

The location of the syslog output for feeds and watchlists.

pgsql

The Carbon Black EDR server uses Postgres SQL to store administrative data. Event data gathered from the sensors is not stored in Posgres.

rabbitmq

The logging location for the rabbitmq component of the Carbon Black EDR server.

redis

The logging location for the redis component of the Carbon Black EDR server.

services

The logging location for the start/stop services of the Carbon Black EDR server.

solr

Used for indexes and stores data.

supervisord

The supervisord process utility is used to manage Carbon Black EDR server processes, handling startup and shutdown dependencies between the various server components and services.

The following table shows the diagnostic scripts found in/usr/share/cb.

Component

Description

cbbanning

Assists in managing the Carbon Black EDR server banning features. To get a list of available commands, run this command:

cbbanning commands

cbstats

This utility provides access to the statistics collected by the Carbon Black EDR server.

cbsyslog

Provides an interface for testing Carbon Black EDR’s notifications syslog output.

cbpost

This utility is used to send file(s) to the Alliance server; typically used during interaction with Carbon Black Technical Support.

py_runtime_info

Generates a runtime report that shows the stack trace, process memory map, and open file descriptors for the running Carbon Black EDR processes.

cbfeed_scrubber

Helps clean up feed tags on existing Solr documents.

cbinit

Used to configure a combination of initial settings during a Carbon Black EDR server installation.

cbdiag

Dumps verbose troubleshooting information, including logs and configuration, to a gzip archive. This file can be analyzed offline or provided to Carbon Black with support requests.

sql_stats

Contains outputs of various SQL database statistics; typically used during troubleshooting.

cbsolr

Used for indexes and stores data.

cbget

This utility is used to download or list files from Alliance server; typically used during interaction with Carbon Black Technical Support.

sensor_report

Generates a report that shows the status of every sensor communicating with Carbon Black EDR server. Optionally, it can be used to identify specific sensors that might require the attention of IT support personnel.

cbcheck

Assists in troubleshooting Carbon Black EDR server installation. To get a list of available commands, run this command:

cbcheck commands

to learn more about a specific command, run this command:

cbcheck <command> -h

cbcluster

Used to manage clusters (not a diagnostic tool).

cb_rabbitmq-server.sh

This is a system utility and should never be run manually.

cbrabbitmqctl

A command-line interface that provides access to the Carbon Black EDR rabbitmq service.

pgsql_diag.sh

Prints diagnostic info about the CBER Postgres database

cbpasswd

Resets user’s password. Can only be run as root.