Cb Response: Cb-Event-Forwarder stopped working (API token)
search cancel

Cb Response: Cb-Event-Forwarder stopped working (API token)

book

Article ID: 287984

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • No longer seeing events sent to SIEM
  • The following error message is seen with cb-event-forwarder -check
    time="2018-09-02T10:25:10Z" level=error msg="Connection closed: Exception (320) Reason: \"CONNECTION_FORCED - broker forced connection closure with reason 'shutdown'\""
  • The Event Forwarder startup.log contains the following error
    • fatal msg="Could not get cb version: Cb Response Server returned a 401 status code"

Environment

  • Carbon Black Response: All Versions
  • Cb-Event-Forwarder: All Versions

Cause

API token has been reset

Resolution

  1. Run the following in Terminal of the server with cb-event-forwarder installed to confirm the error message
    /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check
  2. Log in as a Global Admin user and navigate to User Settings > API Token
  3. Copy the API token into /etc/cb/integrations/cb-event-forwarder/cb-event-forwarder.conf
    # The API Token used when querying the Cb Response REST API
    api_token=
  4. Save cb-event-forwarder.conf
  5. Restart Cb Event Forwarder
    • initctl start cb-event-forwarder