Confirm the sensor is Observing and Uploading Events / Batches
search cancel

Confirm the sensor is Observing and Uploading Events / Batches

book

Article ID: 288002

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR

Issue/Introduction

Instructions on how to check if the sensor is correctly storing and uploading event batches.

Environment

  • Carbon Black Cloud Console: Current Version
  • Carbon Black Cloud Windows Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Run repcli command: 
    repcli displayevents -stream CbEventPscPrettyJson
  2. Confirm that psc_eventbatch* files are being written to C:\ProgramData\CarbonBlack\Events
    • This means that the sensor is consolidating/compressing the minibatch files
  3. Verify that psc_eventbatch* files are being deleted every ~5 minutes
    • This indicates they've been successfully uploaded to the PSC backend

Additional Information

  • On sensors 3.4 events were stored in C:\Program Files\Confer\Events
  • To force immediate upload run command: 
    repcli cloud PscReport
Powered by Wolken Software