EDR: How to Temporarily Disable a Minion During OS Level Outage
Article ID: 287979
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to temporarily disable a minion that has been taken down due to an OS level outage
Environment
- EDR Server: All Versions
Resolution
1) open for editing /etc/cb/cluster.conf
2) Comment out all lines for the problematic minion
#[Minion X]
#Host=
#User=
#HasEvents
#ReadOnly
3) Adjust the NodeCount= line down by one
4) Save the file
5) Delete the following to correct the RabbitMQ starting order
rm -rf /var/cb/data/rabbitmq/mnesia
rm -f /var/cb/.erlang.cookie
2) Comment out all lines for the problematic minion
#[Minion X]
#Host=
#User=
#HasEvents
#ReadOnly
3) Adjust the NodeCount= line down by one
4) Save the file
5) Delete the following to correct the RabbitMQ starting order
rm -rf /var/cb/data/rabbitmq/mnesia
rm -f /var/cb/.erlang.cookie
Additional Information
- All sensors that report to that minion node will be reassigned to other nodes in a load balanced way. Once the minion server is back up and running, you can revert the configuration to add the minion back in. Sensors will again be reassigned. Unfortunately due to load balancing some sensors that were not previously assigned to this minion could now be assigned.
- If the downed minion is replaced with a new machine, please use the /usr/share/cb/cbcluster add-node tool instead
Feedback
Yes
No
Powered by
