EDR: Events Not Being Sent from Event Forwarder
Article ID: 287384
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Events have stopped flowing to syslog server
- Error in /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log:
time="2019-09-18T01:02:41Z" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2019-09-18T00:57:40.002 to AWS S3 <redacted>-syslog." time="2019-09-18T01:06:05Z" level=error msg="Connection closed: Exception (320) Reason: \"CONNECTION_FORCED - broker forced connection closure with reason 'shutdown'\"" time="2019-09-18T01:06:05Z" level=info msg="Waiting for all workers to exit" time="2019-09-18T01:06:05Z" level=info msg="Worker exiting" time="2019-09-18T01:06:05Z" level=info msg="Worker exiting" time="2019-09-18T01:06:05Z" level=info msg="Worker exiting" time="2019-09-18T01:06:05Z" level=info msg="Worker exiting" time="2019-09-18T01:06:05Z" level=info msg="All workers have exited" time="2019-09-18T01:06:05Z" level=info msg="AMQP loop 0 exited: Exception (320) Reason: \"CONNECTION_FORCED - broker forced connection closure with reason 'shutdown'\". Sleeping for 30 seconds then retrying."
Environment
- EDR: All Versions
- Event Forwarder: All Versions
- RHEL / CentOS: 6.x
- RHEL / CentOS: 7.x
Cause
- Connection to rabbitMQ has been disrupted
Resolution
- Restart the Event Forwarder Service :
- CentOs 6.x :
service cb-event-forwarder restart
- RHEL / CentOS 7.x :
systemctl restart cb-event-forwarder
Feedback
Yes
No
Powered by
