Enterprise EDR: How To Confirm the Sensor is Observing and Uploading Events / Batches
search cancel

Enterprise EDR: How To Confirm the Sensor is Observing and Uploading Events / Batches

book

Article ID: 288002

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

To check if the sensor is correctly storing and uploading event batches 

Environment

  • Carbon Black Enterprise EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Run repcli command: 
    repcli displayevents -stream CbEventPscPrettyJson
  2. Confirm that psc_eventbatch* files are being written to C:\ProgramData\CarbonBlack\Events
    • This means that the sensor is consolidating/compressing the minibatch files
  3. Verify that psc_eventbatch* files are being deleted every ~5 minutes
    • This indicates they've been successfully uploaded to the PSC backend

Additional Information

  • On sensors 3.4 events were stored in C:\Program Files\Confer\Events
  • To force immediate upload run command: 
    repcli cloud PscReport
Powered by Wolken Software