EDR: Partial or Truncated Messages using Syslog/Event Forwarder
Article ID: 287752
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Messages being sent to from the EDR server to the SIEM are incomplete or truncated.
- You will see a similar message in /var/log/cb/notifications/cb-all-notifications.log. Specifically noting the gap between <warning> and the next line starting with "..."
<warning>...f6b242fb5' alliance_score_tor='30' alliance_link_tor='http://www..org' alliance_updated_srstrust='2014-10-07T00:29:07.000Z' alliance_updated_tor='2016-12-9:T13:15:13.000Z' alliance_data_tor='TOR-Node-XXX.XX.XX.XX'
Environment
- EDR Server: All Versions
- CB Event Forwarder: All Versions
Cause
- By default, MaxSyslogSenderMessageSize is set to the default value of rsyslog.
Resolution
- Use an editor to modify /etc/cb/cb.conf. Find the following configuration and set the values to 4096. Make sure to remove the comment (#)
MaxSyslogSenderMessageSize= MaxCbLoggingMessageSize=
- Add the following parameter to the top of the /etc/rsyslog.conf under the "#### Modules ####" section:
$MaxMessageSize 4096
- Restart the Service:
- Syslog
service rsyslog restart
- Event Forwarder
initctl start cb-event-forwarder initctl stop cb-event-forwarder
- Syslog
- Restart EDR Services - EDR: How to Restart Server Services
Additional Information
Be sure to also check on message rate limiting in the this document - EDR: Syslog Notifications are being sent due to rate limiting
Feedback
Yes
No
Powered by
