What does the Collector Reporter gather from the system
Question:
What does the Collector Reporter gather from the system?
Answer:
Depending on the Operating System on which you are running the Collector Reporter it will gather the information you can find below.
Collector Reporter for Windows
Files included
The Collector reporter zip contains the following files inside:
nxtreporter-x.x.x.x.zip | |
---|---|
nxtreporter.cmd | batch file to run |
nxtreporter32.exe | executable running on 32 bits systems |
nxtreporter64.exe | executable running on 64 bits systems |
2. Data gathered from the system
Table 2.1: The data gathered inside zip report
nxtreporter.zip | |||
---|---|---|---|
filename | description | Support question type | Investigation priority |
systemlog.txt | Collector version, running state, configuration. Status of gathering all the following data for the full zip report. |
|
|
*.dmp | c:\Windows\MEMORY.dmp c:\Windows\Minidump\* (all files located here) | BSOD issue |
|
edid.txt | EDID data in binary form (Extended Display Identification Data). Detailed information about all connected displays. | crash nxtsvc / wrong monitor data reported |
|
ipconfig.txt | Result of the command "ipconfig.exe" | No Collector data reported to Engine |
|
macs.txt | MAC addresses, result of the command "getmac.exe" |
|
|
serviceslist.txt | All kernel/user drivers configured, result of the command "driverquery.exe -v" |
|
|
servicesstatus.txt | Running status of all windows services, result of the command "sc queryex" |
|
|
ver.txt | OS Version, result of the command "ver.exe" |
|
|
wfpstate.xml | WFP configuration, result of the command "netsh wfp show state" |
|
|
disks.xml | Information about hard disks. |
|
|
printers.xml | Information about installed printers. |
|
|
verifier.txt | Driver verifier configuration, result of the command "verifier.exe /querysettings" |
|
|
msiproducts.xml | List of all products and patches installed by msi installer. |
|
|
/wer/* | WER (Windows Error Reporting) files, crash dumps of user applications. | nxtsvc crash |
|
/watchdog/* | Kernel error reports, content of directory C:\Windows\LiveKernelReports\WATCHDOG\ |
|
|
/Temp/* /Windows/* /Windows_Temp/* | All log files with name matching pattern "*nxt*" or "*nexthink*", setupapi.log | Installation issue | Important |
eventlog_application.txt eventlog_security.txt eventlog_system.txt | Windows event logs. Text representation of internal log database (viewable by "Event Viewer" application). | installation issue / historical data | Important |
/Antivirus/SecurityCenter.txt /Antivirus/*.bk | Information about Security Center status. Backup of registry keys of well known Antivirus products: see table 2.1 |
|
|
/Printers/*.bk | Backup of registry keys of installed printers: see table 2.2 |
|
|
*.bk | Backup of registry keys: see table 2.3 | installation issue |
|
Table 2.1: Backup of registry keys of well known Antivirus products
Registry Key | Backup file name |
---|---|
"HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee" | reg_software_mcafee.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\KasperskyLab" | reg_software_kaspersky.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\BitDefender" | reg_software_bitdeffender.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Antimalware" | reg_software_ms_anti.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Norton" | reg_software_norton.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Sophos" | reg_software_sophos.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec" | reg_software_symantec.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\TrendMicro" | reg_software_trendmicro.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\McAfee" | reg_software_mcafee6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\KasperskyLab" | reg_software_kaspersky6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\BitDefender" | reg_software_bitdeffender6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Microsoft Antimalware" | reg_software_ms_anti6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Norton" | reg_software_norton6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Sophos" | reg_software_sophos6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Symantec" | reg_software_symantec6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\TrendMicro" | reg_software_trendmicro6432.bk |
Table 2.2: Backup of registry keys of installed printers
Registry Key | Backup file name |
---|---|
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers\\" | machine_system_ccs_control_print_printers.bk |
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\" | machine_system_ccs_enum.bk |
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceContainers\\" | machine_system_ccs_devicecontainers.bk |
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\" | machine_system_ccs_control_print_monitors.bk |
Table 2.3: Backup of registry keys
Registry Key | Backup file name |
---|---|
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet" | machine_system_current_control_set.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" | machine_software_win_current_version.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" | machine_software_winnt_current_version.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" | machine_software_win_current_version6432.bk |
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" | machine_software_winnt_current_version6432.bk |
The same set of keys is gathered for each user (#UserSID#), from HKEY_USERS tree:
Registry Key | Backup file name |
---|---|
"HKEY_USERS\\#UserSID#\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet" | users_#UserSID#_system_current_control_set.bk |
"HKEY_USERS\\#UserSID#\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" | users_#UserSID#_software_win_current_version.bk |
"HKEY_USERS\\#UserSID#\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" | users_#UserSID#_software_winnt_current_version.bk |
Reporter for Mac OS X
The reporter is included inside the collector installer dmg package.
The tool have to be run as privileged user i.e. sudo reporter
To run the reporter:
Copy the reporter script from the dmg package to a folder on the machine
Run reporter script
CODE
|
The zip file will by in the same folder the reporter script was running
Files Included
Nexthink_Collector_x.x.x....dmg | |
---|---|
reporter | Script file to run |
Data gathered from the system
In the current directory from where the script is executed, a .zip file is created or an error message from the script is displayed.
Nexthink_Reporter.zip | |
file/directory | description |
---|---|
CrashReporter | directory containing logs of crash incidents |
DiagnosticReports | copy of Mac OS system diagnostic events |
config.plist | collector config |
crashguard | collector crashguard file (binary) |
nxtsvc | collector service (binary) |
sudoers | Mac OS sudores file |
nxtsvc.log | Nexthink Service log |
nxtsvc.X.log | Nexthink Service backup logs; "X" represents the number of the backup file |
nxtcod.log | Nxtcod process logs |
nxtcod.X.log | Nxtcod process backup logs; "X" represents the number of the backup file |
nxtcoordinator.log | NXT Coordinator Service Logs |
nxtcoordinator.X.log | NXT Coordinator Service backup logs; "X" represents the number of the backup file |
nxteufb.log | Engage Client Service logs |
nxtupdater.log | Update logs |
nxtbsm.log | Business Service module log |
nxtextension.log | Application Experience Extension log |
Only the files which were present on the system are included in the zip, for example, if logs setting was 'Silent' then nxtsvc.log won't be present.