Carbon Black Cloud: Large number of event batch files on Linux
search cancel

Carbon Black Cloud: Large number of event batch files on Linux

book

Article ID: 286138

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Large number of files named 'bulk_########' seen in /opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/behavior-events
  • Sensor exceeding OER for disk space

Environment

  • Carbon Black Cloud Sensor: 2.9.x.x - 2.12.x
  • Linux: All Supported Versions

Cause

Issue with purging old event batch files after uploading to Cloud

Resolution

Upgrade to 2.13.1 or higher where this has been corrected (PSCLNX-9662)

Additional Information

If it is not possible to upgrade soon, the following can be done in the interim
  1. Stop agent
  2. Remove backlog of messages 
    rm /var/opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/behavior-events/ -f
  3. Restart agent
Powered by Wolken Software