EDR: Partial or Truncated Messages using Syslog/Event Forwarder
search cancel

EDR: Partial or Truncated Messages using Syslog/Event Forwarder


Article ID: 287752


Updated On:


Carbon Black EDR (formerly Cb Response)


  • Messages being sent to from the EDR server to the SIEM are incomplete or truncated.
  • You will see a similar message in /var/log/cb/notifications/cb-all-notifications.log. Specifically noting the gap between <warning> and the next line starting with "..."
    <warning>...f6b242fb5' alliance_score_tor='30' alliance_link_tor='http://www..org' alliance_updated_srstrust='2014-10-07T00:29:07.000Z' alliance_updated_tor='2016-12-9:T13:15:13.000Z' alliance_data_tor='TOR-Node-XXX.XX.XX.XX'


  • EDR Server: All Versions
  • CB Event Forwarder: All Versions


  • By default, MaxSyslogSenderMessageSize is set to the default value of rsyslog.


  1. Use an editor to modify /etc/cb/cb.conf. Find the following configuration and set the values to 4096. Make sure to remove the comment (#)
  2. Add the following parameter to the top of the /etc/rsyslog.conf under the "#### Modules ####" section:
    $MaxMessageSize 4096
  3. Restart the Service:
    1. Syslog
      service rsyslog restart
    2. Event Forwarder
      initctl start cb-event-forwarder
      initctl stop cb-event-forwarder
  4. Restart EDR Services - EDR: How to Restart Server Services

Additional Information

Be sure to also check on message rate limiting in the this document - EDR: Syslog Notifications are being sent due to rate limiting