Skip to content

Agent Troubleshooting

When troubleshooting issues with SentinelOne agents, a SolCyber SOC engineer will usually open a ticket with SentinelOne support. To expedite resolution, we ask that some data or log collection be done on the device so that we can provide the details to SentinelOne support.

Windows#

To collect installation logs from Windows endpoints:#

  1. In File Explorer, enter:

    • C:\Windows\Temp\

    • %temp%

      This redirects to C:\Users\<USER>\AppData\Local\Temp\ where <USER> is the logged-in user.

  2. In each of these file paths, look for sentinelinstaller files. The file path can be different configuration of your operating system.

  3. Select these files:

    • sentinelinstaller_*.out
    • sentinelinstaller_*.dmp
    • sentinelinstaller_*.etl

    Where * will match all substrings.

  4. Compress the files to an archive file (ZIP, RAR, or similar).

  5. Supply the archive to SolCyber.

To collect Agent logs from Windows endpoints:#

  1. Open CMD with Run as Administrator.

  2. Run:

    text
    cd C:\Program Files\SentinelOne\Sentinel Agent version\Tools

  3. Run these commands:

    text
    mkdir c:\temp
LogCollector.exe WorkingDirectory=c:\temp


    Where c:\temp is an output directory example. You can use a different directory name. If there is a message that LogCollector cannot find the output directory, make sure you entered an existing path as the WorkingDirectory.


    When you run the last command, the LogCollector begins and shows the status of the log collection.

  4. When the LogCollector is done, get the output from your WorkingDirectory.

    File name format: mm_dd_yyyy_hh_mm{AM|PM}_Logs.gz

    Example: 05_12_2020_09_57AM_Logs.gz

  5. Supply the archive to SolCyber.

To collect Windows Agent configuration information:#

  1. Run CMD as admin: Windows Start > enter cmd > right-click Command Prompt and select Run as administrator.

  2. Run:

    text
    > cd\
> cd "Program Files\SentinelOne\Sentinel Agent <full_version>"

    Where full_version is the version of the Agent. For example: 21.6.1.121. You can use TAB to let cmd auto-complete pathnames.

  3. Run these commands and include the output in the Support issue.

    text
    > sentinelctl status
> sentinelctl config

Log Collection for macOS Endpoints#

Collect logs from macOS Agents through the Management Console, or run:

text
sudo sentinelctl logreport

Log Collection for Linux Endpoints#

Collect logs from Linux Agents through the Management Console, or run:

text
sudo /opt/sentinelone/bin/sentinelctl log generate path

From Linux Agent version 4.0, the collected logs are more comprehensive and usually give Support the information they require.