CB Response: Why do Procend or Procstarts still send from cb-event-forwarder when disabled?

search cancel

CB Response: Why do Procend or Procstarts still send from cb-event-forwarder when disabled?

book

Article ID: 287896

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why do Procend or Procstarts still send from cb-event-forwarder when disabled?

Environment

Carbon Black Response Server: All Versions
Carbon Black Event Forwarder: All Versions

Resolution

When Procend or Procstart is disabled in the cb-event-forwarder the disabled both events will still send. These event use the alias "process" at the ingress of the events.

Feedback

thumb_up Yes

thumb_down No