Duplicate Sensors Due to a Misconfigured VDI
search cancel

Duplicate Sensors Due to a Misconfigured VDI

book

Article ID: 285279

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Sensor hosts appear multiple times in the UI and sensor_registration table.

Environment

  • Carbon Black EDR Server: All Versions
  • Carbon Black EDR Sensor: All Versions 
 

Cause

  • Missing configuration for enabling VDI behavior.
  • Sensor deployed to new systems after already registering with the EDR Server on original image.

Resolution

  1. Enable VDI in /etc/cb/cb.conf. 
    VDIAPIEnabled=True
  2. Restart the services 
    Standalone:
    sudo service cb-enterprise restart 
    
    Cluster: 
    /usr/share/cb/cbcluster stop && /usr/share/cb/cbcluster start
  3. Log into the EDR console as a global admin.
  4. Go to your username > Settings > VDI Settings.
  5. By default "Hostname and DNS Name (hostname.domain) are enabled. Modify these settings to match unique values in your environment.
    • All selected need to uniquely match, VDI checks are AND operations.  

Additional Information

  • This does not clear up existing duplicate entries.
  • VDI setting is not intended for just virtual machines, this will also prevent duplicate entries for physical machines when the sensor is uninstalled/reinstalled. 
  • Enabling VDI makes this global across all sensor groups. If a sensor group settings is set to "VDI Behavior Enabled", it is now only enabled for those groups with this setting. (Group VDI does not work in 7.8.0) 
  • Golden/Master images being used to deploy sensors need to have services stopped, sensor id set to zero and any collected events removed prior to taking the image down to be cloned.
  • Restarting sensor services forces a registration check for the first call to the server.