- Run the /usr/share/cb/integrations/event-forwarder/cb-edr-fix-permissions.sh script to correct the permissions issue.
- If this doesn't help, try running the forwarder service as 'cb' to see if the service will start:
- From the terminal run the following command:
- sudo -u cb service cb-event-forwarder start
- We do expect to see the following output but we would expect the service to start (as described below):
[root@edrserveref ~]# sudo -u cb service cb-event-forwarder start
This script must be run by a root user
Starting cb-event-forwarder: Ok
- If we see the following, it's likely that the event_bridge_output.json file or another file cannot be written to as the cb user and in turn cannot be altered using the GUI:
[root@edrserveref ~]# sudo -u cb service cb-event-forwarder start
This script must be run by a root user
Starting cb-event-forwarder: Failed config file check
- Ensure that the location of the event_bridge_output.json file (found in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file) can be written to by the 'cb' user account by checking it's permissions. Typical the directory permissions look like:
[root@edrserveref ~]# ls -lha /var/cb/data/
total 44K
drwxr-xr-x. 10 cb cb 4.0K Nov 10 20:18 .
drwxr-xr-x. 6 cb cb 4.0K Nov 10 07:15 ..
-rw-r--r--. 1 cb cb 0 Nov 10 20:18 event_bridge_output.json
-rw-r--r--. 1 cb cb 0 Nov 10 07:13 event_bridge_output.json.2020-11-10T07:13:22.230.restart
-rw-r--r--. 1 cb cb 0 Nov 10 07:13 event_bridge_output.json.2020-11-10T07:39:30.882.restart
-rw-r--r--. 1 cb cb 0 Nov 10 07:39 event_bridge_output.json.2020-11-10T07:39:30.953.restart
- To change permissions of this directory:
chown cb:cb -R /var/cb/data