EDR: How To Preserve Event Forwarder Log on Restart
search cancel

EDR: How To Preserve Event Forwarder Log on Restart

book

Article ID: 287731

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To preserve cb-event-forwarder.log after a restart of Event Forwarder for troubleshooting.

Environment

  • EDR Server:  All Supported Versions
  • CB Event-Forwarder:  3.7 and Below

Resolution

Note: As of version 3.8, logs are preserved automatically
  1.  Edit file:  /etc/init/cb-event-forwarder.conf
change: 
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
to: 
exec sh /usr/share/cb/integrations/event-forwarder/cb-event-forwarder.sh
  1. Create a new file:  /usr/share/cb/integrations/event-forwarder/cb-event-forwarder.sh, with the following content:
#!/bin/bash
cat /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log >> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log.backup
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
  1. Stop and Start the Event Forwarder to enable the change:
initctl stop cb-event-forwarder
initctl start cb-event-forwarder

Additional Information

Existing log will be preserved on restart as cb-event-forwarder.log.backup under /var/log/cb/integrations/cb-event-forwarder/
Powered by Wolken Software