How to roll over the event_bridge_output.json files early if they are too large to be submitted

• Carbon Black EDR: All Versions
• Carbon Black Event Forwarder: All Versions

1. Edit /etc/cb/cron/cb-cron.template
2. Add this line anywhere in the file above the line "# Cron requires that each entry in a crontab end in a newline. This comment is included to ensure that's always the case."
   • CentOS6

     # Roll over cb-event-forwarder
     0 */12 * * * root /usr/bin/killall -HUP cb-event-forwarder

   • CentOS7

     # Roll over cb-event-forwarder
     0 */12 * * * root pkill -HUP -f cb-event-forwarder

3. Note: This is set to rollover every 12 hours, please adjust to your needs before saving
4. Restart the services to take affect, or add this to the live /etc/cron.d/cb for current session

• Adding to the cb-cron.template will save this config at each restart. If you do not want to restart the services, you can add the line to /etc/cron.d/cb and it will pick it up automatically for the current running services
• This workaround can be adjusted to rollover the log when you need, this is set to every 12hrs but may be happening too often so please adjust accordingly based on the size of the file
• The rollover file will be relabeled to event_bridge_output.<timestamp>
• You can enable compression on the rolled over files by enabling "compress_data=true" in the cb-event-forwarder.conf, it's the first config. Event forwarder service would need to be restarted for this to take affect
• If you have not already, you should add the cron to automatically delete the older JSON files to avoid filling disk space.