EDR: How to enable event-forwarder debug logging
search cancel

EDR: How to enable event-forwarder debug logging

book

Article ID: 284984

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Enable debug logging for event-forwarder troubleshooting

Environment

  • EDR: All Versions
  • CB Event-forwarder: All versions

Resolution

  1. Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf 
  2. Change the debug line to enabled if already present.  If not currently present, create it under the '[bridge]' section.
debug=1
  1. Add a line below to direct debug logging
debug_store=/var/log/cb/integrations/
  1. Restart event forwarder 
initctl restart cb-event-forwarder

Additional Information

  • This debugging is limited to reporting on certain error conditions. 
  • By default, the debug line will be line 20
  • debug_store can be set to any location. To be collected in a cbdiag, the logs should be under /var/log/cb