top of page
Search

Sensor Troubleshooting Guide

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 9, 2025
  • 2 min read

Summary:

The document provides a troubleshooting guide for CarbonBlack sensor version CB v4.1.5.140410.2152, dated April 10, 2014. Key points include the following steps and checks for basic installation, registry settings confirmation, and additional sensor control using command line tools: Installation: - Install CarbonBlack sensor in %WINDIR%\CarbonBlack\ by ensuring the directory exists. - Verify presence of installation logs at %WINDIR%\CarbonBlack\InstallLogs\. - Confirm the current sensor log at %WINDIR%\CarbonBlack\Sensor.log for errors. - Check registry settings under HKLM\Software\CarbonBlack\Config, verifying typical configurations. Additional Sensor Control: - Use 'sc control carbonblack ' with CONTROLCODE 200 to attempt a connection and 201 to dump diagnostic data. - Control code 201 triggers logs including EventConverter.log, EventLogger.log, NetConnEvents.log, RawEventStats.log, and SensorComms.log. Debugging Sensor Communications: - After issuing 'sc control carbonblack 201', check %WINDIR%\CarbonBlack\Diagnostics for a populated SensorComms.log file. - This log contains data with columns like Time (UTC), URL used, HRESULT result, Code, and DurationMs in milliseconds, aiding in sensor to server communication troubleshooting.

Details:

The document outlines the troubleshooting process for CarbonBlack sensor version CB v4.1.5.140410.2152, dated April 10, 2014. It covers basic installation steps and provides details on how to confirm the presence of necessary files, check registry settings, and perform additional sensor control using command line tools. Installation:

  • The CarbonBlack sensor should be installed in the default directory %WINDIR%\CarbonBlack\. Ensure this directory exists.

  • Verify the presence of installation logs at %WINDIR%\CarbonBlack\InstallLogs\, reviewing the latest log for errors.

  • Confirm the presence of the current sensor log at %WINDIR%\CarbonBlack\Sensor.log and review it for any errors.

  • Check the registry settings under HKLM\Software\CarbonBlack\Config, which should include typical configurations as depicted in a figure.

Additional Sensor Control:

  • Use the command 'sc control carbonblack ' to perform additional sensor control functions. Two supported control codes are 200 (to trigger a connection attempt to the CarbonBlack server) and 201 (to trigger a dump of diagnostic data to %WINDIR%\CarbonBlack\Diagnostics).

  • Control code 201 will generate logs including EventConverter.log, EventLogger.log, NetConnEvents.log, RawEventStats.log, and SensorComms.log.

Debugging Sensor Communications:

  • After issuing the 'sc control carbonblack 201' command, check the %WINDIR%\CarbonBlack\Diagnostics directory for a populated SensorComms.log file. This log contains data in a specific format with columns such as Time (UTC), URL used, HRESULT result of the operation, Code (result processed code which can vary based on HRESULT source), and DurationMs in milliseconds.

  • These logs help troubleshoot errors in sensor to server communication.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page