EDR: Data Ingress Stopped for External Tools Touching Solr .lock Files
search cancel

EDR: Data Ingress Stopped for External Tools Touching Solr .lock Files

book

Article ID: 285083

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • No new data are showed in the EDR console
  • solr debug logs contain error message: 
    org.apache.lucene.store.AlreadyClosedException: Underlying file changed by an external force at 2018-12-12T05:46:40.405251Z, (lock=NativeFSLock(path= 
    /var/cb/data/solr5/cbevents/cbevents_xxxx_xx_xx_xxxx/data/index/write.lock,impl= 
    sun.nio.ch.FileLockImpl[0:9223372036854775807 exclusive valid],ctime=...))

 

Environment

  • EDR Server: All Supported Versions

Cause

Third party AV agents or scanner touched write.lock

Resolution

Exclude EDR data storage path, by default /var/cb/data, from third party AV or scanners.

Additional Information

When this error occurred, security data would be lost, as sensors are unaware the server could not process data.