You can collect diagnostic data logs using the sensordiags.exe tool.
Each collection overwrites the previous collection. If you must collect multiple diagnostics, move the current collection to a directory that is outside the C:\Windows\CarbonBlack\Diags path.
If the server has diagnostic collection enabled under Shared Settings, the sensor automatically sends any logs from C:\Windows\CarbonBlack\diags\. If the upload succeeds, they are deleted locally.
Prerequisites
Requirements:
- Carbon Black EDR Windows sensors 6.2.2 and later
- Microsoft .NET 4.5 and later
Procedure
- Open a command prompt window as Administrator.
- Change directory to C:\Windows\CarbonBlack.
- Run the diagnostic tool:
sensordiag.exe --type CDE
Where type is:
C: Crash - Returns crash reports for Carbon Black user-mode service.D: Diagnostics - Returns information about the sensor. Includes the contents of all subfolders of C:\Windows\CarbonBlack, and install information and metadata about the sensor driver status.E: Environment - Collects system-wide information through WMI queries.
Command line switches:
-type This is the only mandatory parameter. Must be some combination of C,D, and E. For example: sensordiag --type CE-startdate yyyy-mm-dd [hh:mm:ss] Only collects logs modified after a certain date/time. For example: sensordiag --type CE --startdate 2019-02-04 09:00:00-enddate yyyy-mm-dd [hh:mm:ss] Only collects logs modified before a certain date/time. This parameter can be used in conjunction with the startdate parameter. Example: sensordiag --type CE --enddate 2019-02-10-remember Only collects logs modified since the last sensordiags was run. You cannot use startdate or enddate together with remember. Example: sensordiag --type CDE -remember-output C:\path\to\diag - Set the output directory to an alternative to the working directory.
- Collect the C:\Windows\CarbonBlack\diags\<filename>.zip file.
- Send the diagnostic files to Broadcom Carbon Black Support using CBVault.
