CB Response: Syslog Integration Missing Some Messages
search cancel

CB Response: Syslog Integration Missing Some Messages

book

Article ID: 287710

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Missing messages in syslog integration.  Some, but not all, messages being received.  Missing messages are not all of a specific type.
  • Errors in /var/log/messages: 
    imuxsock lost <number> messages from pid <process_id> due to rate-limiting

     

Environment

  • CB Response Server: All Versions
  • Syslog Integration configured

Cause

  • By default, rsyslog has rate-limiting enabled.  This will cause messages to be dropped before hitting the logs or external integration if messages are being produced in high volume.  

Resolution

Disable rsyslog rate limiting:
  1. Log into the command line of the master server.
  2. Stop the CB Response services.
  3. Edit /etc/rsyslog.conf.
  4. Locate "$ModLoad imuxsock" and add 2 lines directly below it:
$SystemLogRateLimitInterval 0 
$SystemLogRateLimitBurst 1000
  1. Save the file and exit to the command line.
  2. Restart rsyslog (as root)
# service rsyslog restart
  1. Start the CB Response services.
Powered by Wolken Software