Skip to content

How to gather support incident information

In Sophos Linux Sensor (SLS), a running sensor's monitoring subsystem can be used to export a full capture of support information collected from the host, the sensor's configuration, and the sensor's internal workings.

Capturing a support archive

To capture a support archive, you must do the following:

  • Install curl
  • Put SLS into debug mode
  • Use curl to capture the support acrchive

Install curl

Accessing the monitoring subsystem requires an HTTP client. Most distributions package curl, which is used in this guide. It can be installed on Red Hat-based systems by running:

sudo yum install curl

It can be installed on Ubuntu systems by running:

sudo apt-get install curl

Put SLS into debug mode

Run the following from a root shell on the host in question to cause the sensor to enter debug mode:

sudo pkill -SIGUSR2 -f sophoslinuxsensor

This will cause any active sensors running on the system to temporarily enter a debug mode where support and debugging information is available on the monitoring endpoint for 60 seconds. After this time debug mode will revert to being off, since the support endpoint can include sensitive information.

Capture a support archive

Run the following from a root shell on the host in question to cause the sensor to capture support information and write to a file:

curl -O http://localhost:9010/support.tar && gzip support.tar

This will have the locally running sensor spend 30 seconds gathering host information, sensor configuration, metrics, and profiles on the inner workings of the sensor and then write them to support.tar.

SLS CPU and Memory Profiling

SLS is equipped with runtime profiling features that can be used to generate CPU profiles and memory allocation snapshots using Google’s pprof library. See pprof.

Turn debug mode on

To enable profiling you must do one of the following:

  • Run the sensor with the environment variable RUNTIMEDETECTIONS_DEBUG=true set
  • Add debug: true to the /etc/sophos/runtimedetections-rules.yaml config file.

Once debug mode has been turned on, restart SLS with the following command:

systemctl restart sophoslinuxsensor

Generate a Profile

If you have a sensor experiencing memory or CPU issues that you wish to troubleshoot, you can generate a performance profile of that sensor. Performance profiles can be captured at anytime by making requests to a local HTTP endpoint.

To capture sample memory allocations of live objects on the heap, run the following command:

curl -s http://localhost:9010/debug/pprof/heap > heap.out

To capture sample CPU usage for 60 seconds and generate a profile, run the following command:

curl -s 'http://localhost:9010/debug/pprof/profile?seconds=60' > profile.out

SLS metrics output

To generate the metric output, run the following command:

curl -s http://localhost:9010/metrics > metrics.out

Note

You don't need to turn on debug mode to collect the metrics output.

Sensor Logs

You can use the following commands to obtain the sensor logs:

journalctl -u sophoslinuxsensor
journalctl -efu capsule8-sensor
tail -f /var/log/capsule8/sensor.log
Back to top