Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel
search cancel

Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel

book

Article ID: 284790

calendar_today

Updated On:

Products

Carbon Black Cloud Workload Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Managed Detection (formerly Cb Threatsight) Carbon Black Cloud Prevention

Issue/Introduction

Why is event_collector no longer loaded in kernel on 2.11+ sensor?

Environment

  • Carbon Black Cloud Sensor: 2.11 and newer
  • Linux: All Supported Versions

Resolution

EEDR support for modern Linux distributions was introduced in 2.10.0. ES support for the same was added in 2.11.0. Both products use eBPF technology for event collection (no kernel driver needed), and it requires correct kernel headers to be installed on the system.

Additional Information

  • You should now see event_collector in the output from ps aux
  • If the sensor reports as offline, headers will need to be installed