Crowdstrike Log gathering script

jrepasky
New Contributor III
#!/bin/bash

# Written by Justin Repasky 08/03/2023
# Runs Crowdstrike's diagnose command and outputs results to /Users/Shared/Diagnostics
# Crowdstrike command includes macOS system diagnostics logs

command_to_run="/Applications/Falcon.app/Contents/Resources/falconctl diagnose --silent"
target_text="Falcon sensor diagnostics are complete. Please send this file to CrowdStrike Support"
target_folder="/Users/Shared/Diagnostics"
date_time=$(date +"%Y%m%d-%H-%M-%S")

mkdir "$target_folder" 2>/dev/null


$command_to_run | while IFS= read -r line; do
    echo "$line"
        
    if [[ $line =~ $target_text.*(/tmp/[^[:space:]]+) ]]; then
        path="${BASH_REMATCH[1]}"
        echo "Path found: $path"
        # Move zip file from tmp folder to /Users/Shared/Diagnostics
        mv $path "${target_folder}/falconctl_diagnose_${date_time}.zip"
     
        # Open /Users/Shared/Diagnostics so user can copy file to where we determine
        /usr/bin/open "$target_folder"
    fi
done
1 REPLY 1

sdagley
Esteemed Contributor II

@jrepasky Your script could definitely be useful for orgs deploying CrowdStrike, but it would be better to post it under Products->Jamf Pro. @JustinV if you agree with that assessment can you relocate this thread (and remove this reply)?