EDR: Watchlists not Alerting Due to Full /var/log/cb
search cancel

EDR: Watchlists not Alerting Due to Full /var/log/cb

book

Article ID: 287997

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Watchlists are not alerting or sending emails
  • df -h shows /var/log/cb mount is full
  • logs under /var/log/cb/ are not writing new lines

Environment

  • EDR Server: All Versions

Cause

Product is unable to write log files and causes the alerting to not fire

Resolution

  1. Remove any file over 7 days old under /var/log/cb 
    find /var/log/cb/ -type f -mtime +7 -exec rm -f {} \;
  2. Check the size of the current log files 
    find /var/log/cb -type f -exec du -skh {} \; | sort -rn -k 1 | head -20
  3. Remove any large offenders. If the current log file being written (those without a date in the filepath) delete the file and restart services to reset log rollover
     
Powered by Wolken Software