EDR: Event Forwarder no longer sending data after upgrade to 7.7
book
Article ID: 285989
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Events no longer forwarding after upgrade
Message in cb-event-forwarder.startup.log
time="2022-07-17T19:05:47Z" level=info msg="Raw Event Filtering Configuration:" time="2022-07-17T19:05:47Z" level=fatal msg="Configuration errors:\n Could not get RabbitMQ credentials from /etc/cb/cb.conf"
Message in cb-event-forwarder.log
time="2022-07-17T18:51:17Z" level=info msg="AMQP loop 1 exited: Exception (403) Reason: \"username or password not allowed\". Sleeping for 30 seconds then retrying."
Environment
EDR Server: Upgrade to 7.7
Cause
Change in RabbitMQ password on 7.7 causes a break with the Event Forwarder - CB-39853
Resolution
This issue is resolved with version cb-event-forwarder-3.8.4-1.el7.x86_64
The event forwarder can be install following the instructions at the link below
NOTE: If you plan to use the EDR console to configure and control cb-event-forwarder, then you MUST install it on the same system on which EDR is installed (in the case of a cluster installer, this means the primary node).