CB Response: Duplicate messages being sent through rsyslog
Article ID: 287783
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Rsyslog showing duplicated messages on SIEM.
- Messages show up twice in the logs with different timestamp formats:
2019-01-24 21:01:18 [9236] <warning> reason=feed.storage.hit type=event process_guid= Jan 24 21:01:18 [9236] <warning> reason=feed.storage.hit type=event process_guid=
Environment
- CB Response Server: All Versions
Cause
This can be due to duplicate entries in the rsyslog conf file: /etc/rsyslog.d/00-cbio-remote.conf
Resolution
- Remove the duplicated setting from the /etc/rsyslog.d/NAME_OF_FILE.conf file. Example below:
# Set up the actions if $programname == 'cb-notifications' then /var/log/cb/notifications/cbio-all-notifications.log;CbLogFormatWithPID $ActionQueueFileName cb_syslog_queue # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down & @@(o)<IPADDR>;CbLogFormatWithPID & ~ Remove lines starting here ---> if $programname startswith 'cb-notifications-' then /var/log/cb/notifications/cbio-all-notifications.log;CbSyslogStandardFormatWithPID $ActionQueueFileName cb_syslog_queue # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down & @@(o)<IPADDR>;CbLogFormatWithPID & ~ <--- End after here
- Restart rsyslog services:
service rsyslog restart
Feedback
Yes
No
Powered by
