Enterprise EDR: How much data will be cached on the endpoint?
search cancel

Enterprise EDR: How much data will be cached on the endpoint?

book

Article ID: 285835

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How much event and binary data will the sensor cache (or backlog) if it cannot transfer it to the backend servers?

Environment

  • Enterprise EDR Sensor: 3.4.0 and Higher
  • Microsoft Windows: All supported versions
  • Apple macOS: All supported versions
  • Linux: All Supported Versions

Resolution

  • Windows Sensor:  1GB
  • macOS Sensor: 500 MB
  • Linux Sensor: 1 GB

Additional Information

  • Event data is stored in a .db file.
  • If the file sizes above are exceeded, the oldest events are dropped in order to make room for newer, incoming events. 
  • The Windows Sensor limit is configurable via ConfigProp using RMS.
Powered by Wolken Software