EDR: Process Analysis Displays HTTP 404 when Pulling Sensor Data after Loading Cold Partitions
search cancel

EDR: Process Analysis Displays HTTP 404 when Pulling Sensor Data after Loading Cold Partitions

book

Article ID: 287651

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After mounting cold Solr cores to investigate events older than 30 days, EDR Console presents HTTP 404 on the Process Analysis page.

Environment

  • EDR Servers:  7.x.x

Cause

The cb.conf variable 'SensorLookupInactiveFilterDays' is set or the EDR Console "Sensor Display Settings" is configured. These settings limit the sensors being searched and their associated event data.

Resolution

  • Comment out 'SensorLookupInactiveFilterDays' in /etc/cb/cb.conf to view older sensors and their data.   Repeat for each EDR server and restart cb-enterprise/cbcluster services.
  • Increase the "Sensor Display Settings" to a number of days that would include the sensor's event data under investigation.

Additional Information

  • https://community.carbonblack.com/t5/Knowledge-Base/EDR-Server-Automatically-Filter-Inactive-Sensors-from-the-User/ta-p/42833
  • https://community.carbonblack.com/t5/Knowledge-Base/EDR-Selecting-an-Event-From-the-Alerts-Page-Results-in-a-404/ta-p/36108
  • https://community.carbonblack.com/t5/Knowledge-Base/EDR-Events-from-newer-alerts-produce-404s/ta-p/34067
  • https://community.carbonblack.com/t5/Knowledge-Base/EDR-Getting-404-On-A-Sensor-Page/ta-p/66121
Powered by Wolken Software