Sensor Comms Failures & Error Codes

Summary:

This document provides an explanation of Carbon Black sensor communication failures, detailing how to access detailed information about these errors. The most common encountered error codes are explained in terms of HRESULTs and their associated facilities, including Win32 (7), Curl (200-205), ZIP (202), CB (205), and HTTP (25). Specific examples include 10061 (RST by server) and timeouts as errors 10060. Detailed steps are given for accessing the sensor's communication log on a Windows host computer, and how to interpret these errors on the Enterprise Server through its Web UI.

Details:

The Carbon Black sensor, used for communicating with a Carbon Black Enterprise server, records communication failures and uploads them upon successful connection. This document aims to make these error codes more understandable by providing explanations for the most commonly encountered ones. To access detailed information about sensor communications, follow these steps from the Windows sensor host computer: 1. Open an elevated command prompt. 2. Navigate to the %WINDIR%\CarbonBlack directory and trigger the Carbon Black sensor service to dump its communication log to a file using "sc control carbonblack 201". 3. Navigate to the Carbon Black sensor diagnostics directory and open the 'SensorComms.log' file with a text editor. On the Enterprise Server, you can view the communications error codes associated with a particular host through its detail page in the Web UI under "Sensor Comms Failures". Error codes are represented by HRESULTs, which consist of three fields: Severity, Facility, and Error. The Severity is determined by whether the code starts with 8 or C (error), and Facilities include Win32 (7), Curl (200-205), ZIP (202), CB (205), and HTTP (25). The table of sensor error facilities includes: FACILITY_WIN32 (7) for Windows errors, FACILITY_CURL (200) for Curl HTTPS communication issues, FACILITY_CURLF (201) for Curl form errors, FACILITY_ZIP (202) for zip errors, FACILITY_CB (205) for Carbon Black specific errors, and FACILITY_HTTP (25) for HTTP errors. The table of sensor communication errors lists various HRESULTs with their class code and description: 0x8007274d indicates Win32 error 10061 (RST by server), 0x8007274c means a timeout (no response on connection attempt, also Win32 error 10060), and other codes relate to Curl errors such as SSL certificate not recognized (60) or DNS name resolution issues (6).