EDR: Will sensor record new events after disk filled up due to event submission failure to server?
search cancel

EDR: Will sensor record new events after disk filled up due to event submission failure to server?

book

Article ID: 287509

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

EDR: Will sensor record new events after disk filled up due to event submission failure to server?

Environment

  • EDR sensor: All supported versions

Resolution

No, new events would be dropped and the old events are kept.

Additional Information

  • Once a sensor gets a 200 for reserve calls, it submits the data to the server via a submit2 call and deletes the event data locally.
  • Once a sensor gets a 400/500 error from the server where it can't submit, it will hold the events to disk up until the set storage size in the sensor groups, 2% of disk or 500MB by default, whichever it hits first.
  • New events would be dropped and the old ones are kept if sensor cannot submit to server.
Powered by Wolken Software