- The output shows the link_process and link_sensor as 'localhost' despite this not being the hostname and the server_name being set in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file.
- The event forwarder output tends to look like the snippet below if this issue is encountered:
{"action":"create","actiontype":1,"cb_server":"edr-server.my.carbonblack.io","computer_name":"hostname","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://localhost/#analyze/000022d4-0000-5ba4-01d8-000000000000/0","link_sensor":"https://localhost/#/host/8216","md5":"9EF81300000000041BDE23C3143941C","path":"e:\\drive\\dir\\example.index\\_index\\_8l0v.tii","pid":23460,"process_guid":"000022d4-0000-0000-01d8-0d609c622aca","process_path":"c:\\program files (x86)\\search\\vss.exe","sensor_id":8216,"sha256":"3925F5700000000C6C6E60BEAE8B53AE3E06F52D423AAEB957EC24CB3EEA78C7","tamper":false,"tamper_sent":false,"timestamp":1642697755,"type":"ingress.event.filemod"}
"link_process":"https://localhost/#analyze/000022d4-0000-5ba4-01d8-000000000000/0"
"link_sensor":"https://localhost/#/host/8216"