EDR: How to Collect Raw Sensor Events at the Server
Article ID: 287941
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to Collect Raw Sensor Events at the Server
Environment
- EDR Server: All Supported Versions
Resolution
- Collecting for All Sensors:
- Create a new file. /etc/cb/datastore/archive.properties with the following:
cbfs-http.log-archive.type=filesystem cbfs-http.log-archive.filesystem.location=/var/log/cb/archive cbfs-http.log-archive.filesystem.queue-size=100
- Create a new file. /etc/cb/datastore/archive.properties with the following:
- Collecting for Specific Sensor(s). 7.1.1 Server or Higher Only
- In this example, sensor ID's are 1 and 4. ID's will be comma delimited
- Create a new file. /etc/cb/datastore/archive.properties with the following:
cbfs-http.log-archive.type=filesystem cbfs-http.log-archive.filesystem.location=/var/log/cb/archive cbfs-http.log-archive.filesystem.queue-size=100 sensor-list:1,4
- Restart Services: EDR: How to restart server services
- After data collection, rename or delete the configuration file and restart services again to stop the verbose logging
Additional Information
- This feature is used to help investigate possible missing data in the Server UI or sent via CB-Event-Forwarder to a SIEM.
Feedback
Yes
No
Powered by
