EDR: How to enable event-forwarder debug logging
book
Article ID: 284984
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Enable debug logging for event-forwarder troubleshooting
Environment
- EDR: All Versions
- CB Event-forwarder: All versions
Resolution
- Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
- Change the debug line to enabled if already present. If not currently present, create it under the '[bridge]' section.
debug=1
- Add a line below to direct debug logging
debug_store=/var/log/cb/integrations/
- Restart event forwarder
initctl restart cb-event-forwarder
Additional Information
- This debugging is limited to reporting on certain error conditions.
- By default, the debug line will be line 20
- debug_store can be set to any location. To be collected in a cbdiag, the logs should be under /var/log/cb
Feedback
thumb_up
Yes
thumb_down
No