EDR: How to Opt Out of CbAlerts Purge during 7.3.0 Server Upgrade
Article ID: 285684
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
During an upgrade from 7.2.0 or lower to 7.3.0 or higher, the cbalerts core is purged. This article provides steps to opt out of this for on-prem customers
Environment
- EDR Console: 7.3.0 or Higher
Resolution
- Stop Services
- Run
yum update cb-enterprise
- To adjust the retention cap, add the following config to /etc/cb/cb.conf. Primary server only for Clustered. Set to 0 to keep all alerts
SolrReindexerKeepAlertsDays=DAYS
- Complete the upgrade
/usr/share/cb/cbupgrade
- Start services
Additional Information
- Doing this will increase the upgrade time, in some cases multiple hours
- User Exchange Announcement https://community.carbonblack.com/t5/Endpoint-Detection-and-Response/Solr-8-Upgrade-Release-Announcement/m-p/95093#M4735
- 7.3.0 introduces Solr 8. In order to upgrade to this version, the cores need to be re-indexed and can result in hours of upgrade time without reducing this core. The cbalerts core is not purged on normal operation.
Feedback
Yes
No
Powered by
