EDR: Where can the days of retention for data be found?
Article ID: 287784
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How do you determine the oldest day of retention on an EDR server?
Environment
- EDR Server: 6 and Higher
- On Premises Server
Resolution
The oldest date of retention correlates with the date of the oldest Solr core which can be found in the UI or via the backend
Sample output:
- From the EDR web interface:
- Left Menu > Navigate to Server Dashboard
- Expand the Sharding field in Storage Statistics.
- The first "Name" value will indicate the date of the oldest core.
- From the command-line:
- Log into a stand-alone EDR server or minion server.
- Execute command:
curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name\":\"cbevents
The first "name" value returned will indicate the date of the oldest core.
Sample output:
"name":"cbevents_2020_11_17_1845", "name":"cbevents_2020_11_20_2325", "name":"cbevents_2020_11_20_2341",
In this example, the oldest event data is stored on the core from November 17, 2020.
Additional Information
- In a clustered environment, the settings need to be checked on each minion node.
- Run the following command on each EDR server to output the maximum event data retention based on number of days:
grep "MaxEventStoreDays" /etc/cb/cb.conf file
Feedback
Yes
No
Powered by
