The user mode portion of the sensor creates an execution log in the following locations.
-
For a version 6.2.x or higher Linux sensor:
/var/opt/carbonblack/response/log/cbdaemon.log
When the current log file reaches a size threshold (currently 100MB), it rolls over to cbdaemon1.log and a new cbdaemon.log is started. You might see log files named cbdaemon[1-5].log, with cbdaemon5.log being the oldest.
-
For a version 6.1.x Linux sensor:
/var/log/cbsensor/cbdaemon.INFO
This log file is a symbolic link that is recreated each time the daemon runs. The default log level is set to WARNING. This results in the generation of log files for WARNING and ERROR levels:
/var/log/cbsensor/cbdaemon.WARNING
/var/log/cbsensor/cbdaemon.ERROR
The kernel module logs messages to /var/log/messages.
Issue this command in a terminal to dump kernel messages in real time:
sudo tail -f /var/log/messages | grep CbSensor
-
The kernel module logs messages to /var/log/messages.
Issue this command in a terminal to dump kernel messages in real time:
sudo tail -f /var/log/messages | grep CbSensor
- For RHEL8.x/SUSE/Ubuntu an ebpfdaemon error log file exists that you can check: /tmp/cbebpf_error.log.
