EDR: Data Ingress Stopped for External Tools Touching Solr .lock Files
book
Article ID: 285083
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
No new data are showed in the EDR console
solr debug logs contain error message:
org.apache.lucene.store.AlreadyClosedException: Underlying file changed by an external force at 2018-12-12T05:46:40.405251Z, (lock=NativeFSLock(path=
/var/cb/data/solr5/cbevents/cbevents_xxxx_xx_xx_xxxx/data/index/write.lock,impl=
sun.nio.ch.FileLockImpl[0:9223372036854775807 exclusive valid],ctime=...))
Environment
EDR Server: All Supported Versions
Cause
Third party AV agents or scanner touched write.lock
Resolution
Exclude EDR data storage path, by default /var/cb/data, from third party AV or scanners.
Additional Information
When this error occurred, security data would be lost, as sensors are unaware the server could not process data.