EDR: Delay in Event Forwarder Events to the SIEM
Article ID: 288027
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Delay in events coming from the event forwarder to the SIEM
Other symptoms include High Memory usage
Other symptoms include High Memory usage
Environment
- EDR: All Versions
- Cb-Event-Forwarder: 3.6.2 and lower
Cause
Compression is backing up the queue due to too many events
Resolution
Upgrade cb-event-forwarder to 3.6.3 or higher
Additional Information
- 3.6.3 has a new compression algortithm that is able to better handle high volume environments.
- The delay comes from the compression of the events before they get out, a queue grows over time and usually examplifies high memory usuage
Feedback
Yes
No
Powered by
