Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel
book
Article ID: 284790
calendar_today
Updated On:
Products
Carbon Black Cloud WorkloadCarbon Black Cloud Audit and Remediation (formerly Cb Live Ops)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)Carbon Black Cloud Managed Detection (formerly Cb Threatsight)Carbon Black Cloud Prevention
Issue/Introduction
Why is event_collector no longer loaded in kernel on 2.11+ sensor?
Environment
Carbon Black Cloud Sensor: 2.11 and newer
Linux: All Supported Versions
Resolution
EEDR support for modern Linux distributions was introduced in 2.10.0. ES support for the same was added in 2.11.0. Both products use eBPF technology for event collection (no kernel driver needed), and it requires correct kernel headers to be installed on the system.
Additional Information
You should now see event_collector in the output from ps aux
If the sensor reports as offline, headers will need to be installed