We need to collect SentinelOne Agent diagnostic logs from inside the SentinelOne console.
1. In the sidebar, click Sentinels.
2. Click the Agent. (Endpoint Details loads).
3. Click Actions > Troubleshooting > Fetch Logs.
4. In the Fetch Logs window, select one or both of the options and click Fetch Logs.
NOTE: For Windows logs select both options
- Agent logs: Get information about the selected Agent’s operations. The default is enabled.
From Windows Agent 4.6, Fetching Agent logs includes the Agent Activity Analyzer report.
- Endpoint logs: Get endpoint data. These logs are not encrypted and can be useful for customer troubleshooting. This option is available from Management Version Iguazu and works with Windows Agent version 3.6+. The default is disabled.
NOTE: If you select this option for an endpoint with a macOS or Linux Agent, or with a Windows Agent of a version earlier than 3.6, the Agent fetches Agent logs.
Download the Logs:
- In the sidebar, click Activity Activity.
- In the Activity view, click Administrative and select Log operations.
- Tip: From version Queensland, use the search to find the option easily
- The results show entries with this syntax: Agent <name> successfully uploaded <file>.tar.gz
- Select an entry and click the Download button.
- Data that is collected
- VM yes/no check
- Internet connection status
- Directory listing for ProgramFiles and ProgramData Sentinel folder + PRDB folder size
- SentinelCtl status+config
- FLTMC output
- Net config workstation and server
- PConfig /all and route print
- Local DNS cache dump
- SC query for Sentinel Agent and monitor
- netsh full dump and proxy information
- Net statistics
- Local FW export
- msinfo32 full export
- Windows event viewer files
- Local machine certificates listing
- Agent log files
- Agent asset files
- VSS tool output
- Full list of installed applications