EDR: "Event Source Not Connected" when Sensor is installed on 5.8 Kernel
Article ID: 287900
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
After installing a sensor to a machine with a 5.8 kernel, a health message of "Event Source Not Connected" is seen
Environment
- EDR Sensor: 7.0.2 and Below
- Ubuntu
- RHEL 8.x
Cause
Kernel 5.8 is not supported with older versions of the sensor
Resolution
- This issue is resolved in sensor version 7.0.3
- If upgrade is not an option, the only workaround is to downgrade the kernel to 5.4.0-26
- Install the kernel 5.4.0-26 kernel
apt install linux-image-5.4.0-26-generic
- Reboot the machine and press and hold "Shift" during the boot process to access the GRUB menu
- Note: Make note of the options for step 2 and 3. These will be used in the grub config later to set this as the default kernel. First option is 0 then 1,2,3. etc.
- Select Advanced Options and select the 5.4.0-26 kernel
- Start the system
- Open a terminal session and edit the /etc/default/grub file
- Find the GRUB_DEFAULT= and enter the menu steps. see Additional Notes for example
- GRUB_DEFAULT="1>2"
- Save the file, then run
sudo update-grub
- On reboot, confirm the kernel version
uname -r
Additional Information
- Official Support is provided for Ubuntu Generic kernels such as 18.04 to 20.04 GA kernels.
- 5.8 HWE kernel support is currently set for the 7.0.3 release pending any findings. Please follow the supported matrix and release notes for supported updates.
- To reset the kernel to the default/latest. Return GRUB_DEFAULT=0 in steps 5-6 and follow step 7 to set this permanently
Grub Menu Example
| Menu Option | Selection |
|---|---|
| Ubuntu | 0 |
| Advanced Options for Ubuntu | 1 |
| Memory Test | 2 |
| Menu Option | Selection |
|---|---|
| Ubuntu, with Linux 5.8 | 0 |
| Ubuntu, with Linux 5.8 (recovery) | 1 |
| Ubuntu, with Linux 5.4 | 2 |
| Ubuntu, with Linux 5.4 (recovery) | 3 |
Feedback
Yes
No
Powered by
