Cb Response: Cb-Event-Forwarder stopped working (API token)
Article ID: 287984
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- No longer seeing events sent to SIEM
- The following error message is seen with cb-event-forwarder -check
time="2018-09-02T10:25:10Z" level=error msg="Connection closed: Exception (320) Reason: \"CONNECTION_FORCED - broker forced connection closure with reason 'shutdown'\""
- The Event Forwarder startup.log contains the following error
-
fatal msg="Could not get cb version: Cb Response Server returned a 401 status code"
-
Environment
- Carbon Black Response: All Versions
- Cb-Event-Forwarder: All Versions
Cause
API token has been reset
Resolution
- Run the following in Terminal of the server with cb-event-forwarder installed to confirm the error message
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check
- Log in as a Global Admin user and navigate to User Settings > API Token
- Copy the API token into /etc/cb/integrations/cb-event-forwarder/cb-event-forwarder.conf
# The API Token used when querying the Cb Response REST API api_token=
- Save cb-event-forwarder.conf
- Restart Cb Event Forwarder
-
initctl start cb-event-forwarder
-
Feedback
Yes
No
Powered by
