Skip to content

How to Gather Support Incident Information (Sensor 4.5.2 and below)

To enable you provide us with the requested technical information, Sophos recommends that you follow this guide in retrieving the information from your infrastructure.

Sensor and Content Version

Run the following commands to obtain the sensor and content version for your Linux distribution:

==="Ubuntu"

```
$ apt list --installed | grep capsule8-sensor

$ apt list --installed | grep capsule8-content
```

==="RedHat"

```
$ rpm -qa | grep capsule8-sensor

$ rpm -qa | grep capsule8-content
```

==="Kubernetes"

```
$ kubectl get ds -o yaml capsule8-sensor
```

Sensor YAML configuration file & environment variables set

To obtain the above information for installations done via PackageCloud run:

>$ cat /etc/sophos/runtimedetections-rules.yaml

On Containerized sensor node using Kubernetes, run one of the following commands:

  • $ kubectl exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml
  • $ kubectl -n <namespace> exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml 

On Containerized sensor node using Docker, run one of the following commands:

  • $ docker exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml
  • $ docker -n <namespace> exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml

Analytics YAML configuration file & environment variables set

To obtain the above information for installations done via PackageCloud run the following command:

$ cat /etc/sophos/runtimedetections-rules.yaml

On Containerized sensor node using Kubernetes, run one of the following commands:

  • $ kubectl exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml
  • $ kubectl -n <namespace> exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml

On Containerized sensor node using Docker, run one of the following commands:

  • $ docker exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml
  • $ docker -n <namespace> exec -it <container-name> cat /etc/sophos/runtimedetections-rules.yaml

Operation System and Version

To obtain the OS and version run any of the following commands:

  • $ uname -a
  • $ cat /etc/os-release 
  • $ cat /etc/redhat-release 
  • $ lsb_release -a 
  • $ hostnamectl

Container Technologies and Version

Please contact your organization's team for that information.

Linux Kernel Version

To obtain the kernel version run any of the following commands:

  • $ uname -r
  • $ cat /proc/version
  • $ hostnamectl | grep kernel

Sensor Logs

To obtain the sensor logs run any of the following commands:

  • $ journalctl -u capsule8-sensor 
  • $ journalctl -efu capsule8-sensor
  • $ tail -f /var/log/capsule8/sensor.log

On containerized environment you can obtain the log using any of the following commands:

  • $ kubectl logs <sensor-container-name>
  • $ docker logs <sensor-container-name>
  • $ journalctl -M rkt-<rkt-container-id>
  • $ kubectl logs po/<console-pod> -c capsule8-sensor

SLS Sensor CPU and Memory Profiling

SLS is equipped with runtime profiling features that can be used to generate CPU profiles and memory allocation snapshots via Google's pprof library. 

Enable Debug Mode

To enable profiling either run the sensor with the environment variable RUNTIMEDETECTIONS_DEBUG=true set or add debug: true to the /etc/sophos/runtimedetections-rules.yaml config file then restart the sensor with the following command:

$ systemctl restart capsule8-sensor

Once the sensor is restarted it will start to collect profiling data as it runs.

Generate a Profile

Performance profiles can be captured at anytime by making requests to a local HTTP endpoint.

To collect sample memory allocations of live objects on the heap, run the following command:

$ curl -s http://localhost:9010/debug/pprof/heap > heap.out

To collect sample CPU usage for 60 seconds and generate a profile, run the following command

$ curl -s 'http://localhost:9010/debug/pprof/profile?seconds=60' > profile.out

These profiles should be generated by a sensor that is experiencing the memory or CPU issues that you wish to troubleshoot for the profile to be useful.

SLS Metrics Output

You don't need to enable debug mode to generate the metric output. Simply run the following command on the sensor:

$ curl -s http://localhost:9010/metrics > metrics.out
Back to top