How To Restrict the Disk Utilization For Endpoint Standard and Enterprise EDR Events
search cancel

How To Restrict the Disk Utilization For Endpoint Standard and Enterprise EDR Events

book

Article ID: 285810

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

To restrict disk usage on Linux endpoints with limited disk storage, particularly in /var/opt directory.

Environment

  •     Carbon Black Cloud (Linux) Sensor: 2.9.0 and Higher
  •     Linux OS: All Supported Versions

Resolution

  1. Uninstall the previous CBC sensor from the Linux endpoint
  2. Completely remove the behavior_events directory:  
    rm /var/opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/behavior-events/ -f
  3. Install Linux sensor
  4. Create the file th.ini: 
    sudo touch /var/opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/th.ini
  5. Add the lines below to the newly created file:
    • For sensors 2.9.1 and higher: 
      [ThreatHunter]
THMaxDiskUsageMb=<Limit In megabytes>
BulkBehaviorMaxDiskUsageMb=<Limit in megabytes>
    • For sensor versions prior to 2.9.1: 
      [ThreatHunter]
MaxTotalArchiveSize=<Limit In bytes>
BulkBehaviorHighDiskUsageMb=<Limit in megabytes, must be ~80% of BulkBehaviorMaxDiskUsage>
BulkBehaviorMaxDiskUsageMb=<Limit in megabytes>
  6. Restart the sensor: 
    sudo systemctl restart cbagentd

Additional Information

  • The default size for each directory is 1Gb and is hardcoded. Creating the .ini file overrides the default hardcoded value. The lower this is set the fewer events the sensor will store before they are purged. Once purged that data is then permanently lost.
  • THMaxDiskUsageMb and MaxTotalArchiveSize control the size of the "events" directory, which contains Enterprise EDR (Formerly CB Threathunter) events before they get sent to the backend.
  • BulkBehaviorMaxDiskUsageMb controls the size of the "behavior-events" directory, which contains Endpoint Standard (Formerly CB Defense) events before they get sent to the backend.
  • BulkBehaviorHighDiskUsageMb tells the sensor that the disk is getting full and that it should prioritize certain types of events for storage once it reaches the set threshold. This should be set slightly lower than the other settings - approximately 80%.
  • Formerly BulkBehaviorMaxDiskUsageMb was dependent upon and required a value for BulkBehaviorHighDiskUsageMb, the dependency was removed effective with the 2.9.1 sensor release
  • MaxTotalArchiveSize will continue to work on 2.9.1+ should the sensor be upgraded.
  • Note that MaxTotalArchiveSize is in bytes, while BulkBehaviorMaxDiskUsageMb and BulkBehaviorMaxDiskUsageMb are in MB.
  • These should be set to 128Mb at an absolute minimum, closer to the defaults is better.
  • The following example would limit the Enterprise EDR (formerly ThreatHunter) events to take 256Mb, and Endpoint Standard (formerly CB Defense) events to take 256Mb (for a net total of half a GB, excluding the logs which currently don't have their size configurable): 
    [ThreatHunter]
MaxTotalArchiveSize=268435456
BulkBehaviorHighDiskUsageMb=200
BulkBehaviorMaxDiskUsageMb=256
Powered by Wolken Software