EDR: Event Forwarder no longer sending data after upgrade to 7.7
Article ID: 285989
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
- Events no longer forwarding after upgrade
- Message in cb-event-forwarder.startup.log
- time="2022-07-17T19:05:47Z" level=info msg="Raw Event Filtering Configuration:"
time="2022-07-17T19:05:47Z" level=fatal msg="Configuration errors:\n Could not get RabbitMQ credentials from /etc/cb/cb.conf"
- time="2022-07-17T19:05:47Z" level=info msg="Raw Event Filtering Configuration:"
- Message in cb-event-forwarder.log
-
time="2022-07-17T18:51:17Z" level=info msg="AMQP loop 1 exited: Exception (403) Reason: \"username or password not allowed\". Sleeping for 30 seconds then retrying."
-
Environment
- EDR Server: Upgrade to 7.7
Cause
Change in RabbitMQ password on 7.7 causes a break with the Event Forwarder - CB-39853
Resolution
This issue is resolved with version cb-event-forwarder-3.8.4-1.el7.x86_64
The event forwarder can be install following the instructions at the link below
cb-event-forwarder
The event forwarder can be install following the instructions at the link below
cb-event-forwarder
Additional Information
NOTE: If you plan to use the EDR console to configure and control cb-event-forwarder, then you MUST install it on the same system on which EDR is installed (in the case of a cluster installer, this means the primary node).
Feedback
Yes
No
Powered by
