How to Roll Over the event_bridge_output.json File Early
book
Article ID: 285723
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to roll over the event_bridge_output.json files early if they are too large to be submitted
Environment
Carbon Black EDR: All Versions
Carbon Black Event Forwarder: All Versions
Resolution
Edit /etc/cb/cron/cb-cron.template
Add this line anywhere in the file above the line "# Cron requires that each entry in a crontab end in a newline. This comment is included to ensure that's always the case."
CentOS6
# Roll over cb-event-forwarder
0 */12 * * * root /usr/bin/killall -HUP cb-event-forwarder
CentOS7
# Roll over cb-event-forwarder
0 */12 * * * root pkill -HUP -f cb-event-forwarder
Note: This is set to rollover every 12 hours, please adjust to your needs before saving
Restart the services to take affect, or add this to the live /etc/cron.d/cb for current session
Additional Information
Adding to the cb-cron.template will save this config at each restart. If you do not want to restart the services, you can add the line to /etc/cron.d/cb and it will pick it up automatically for the current running services
This workaround can be adjusted to rollover the log when you need, this is set to every 12hrs but may be happening too often so please adjust accordingly based on the size of the file
The rollover file will be relabeled to event_bridge_output.<timestamp>
You can enable compression on the rolled over files by enabling "compress_data=true" in the cb-event-forwarder.conf, it's the first config. Event forwarder service would need to be restarted for this to take affect
If you have not already, you should add the cron to automatically delete the older JSON files to avoid filling disk space.