EDR: Sensors Queueing Data Despite Checking Into Server
Article ID: 287169
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Aggregate sensor data queue growing and not resolved by the following:
- https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-Aggregate-sensor-event-queue-is-growing-too-large/ta-p/68571
- https://community.carbonblack.com/t5/Knowledge-Base/EDR-SOLR-writing-to-drives-is-suddenly-slower-causing-aggregate/ta-p/98397
- https://community.carbonblack.com/t5/Knowledge-Base/EDR-Sensor-Backlog-Grows-Unexpectedly-Large/ta-p/68319
- https://community.carbonblack.com/t5/Knowledge-Base/EDR-Sensor-backlog-growing-with-many-503s-in-Nginx/ta-p/68426
- https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-vacuum-sensor-related-Postgres-tables/ta-p/89869
- https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-reset-Mnesia-for-RabbitMQ/ta-p/64848
Environment
- EDR Server: 7.3.0 and Higher
Cause
Deprecated configuration in /etc/cb/cb.conf that takes away threading to datastore: DatastoreBroadcastEventTypes=*
Resolution
- Remove the deprecated setting "DatastoreBroadcastEventTypes=*" in /etc/cb/cb.conf using CLI text editor of choice.
- Add the following new setting into /etc/cb/cb.conf, if not already enabled:
EnableRawSensorDataBroadcast=True
- Restart cb-enterprise services: https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Restart-Server-Services/ta-p/41294
Additional Information
- For a cluster, this config change should be applied across all nodes of the cluster.
- If the EDR Event Forwarder is being used, the following additional configurations will need to be enabled in /etc/cb/integrations/event-forwarder/cb_event_forwarder.conf, followed by a restart of the cb-enterprise services:
use_raw_sensor_exchange=true events_raw_sensor=ALL
Feedback
Yes
No
Powered by
