EDR: No Audit Logs in Audit Logs folder
book
Article ID: 286208
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Log files are missing from the /var/log/cb/audit directory
Environment
EDR: 6.2.x and Higher
Cause
A configuration file could be missing data
Resolution
Possible Resolutions
- Copy the /etc/rsyslog.conf configuration from a working server
- Check that EnableAuditLogsToEvents=True is in the cb.conf file
- Check for missing lines from /etc/rsyslog.d/cb-coreservices.conf file
- Confirm that the /etc/rsyslog.d/cb-logrotate.conf has settings for the missing log files
Feedback
thumb_up
Yes
thumb_down
No