EDR: Event Forwarder sends events larger than 10 KB

search cancel

EDR: Event Forwarder sends events larger than 10 KB

book

Article ID: 288060

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Events sized over 10 KB from the Event Forwarder are unexpectedly not present inside of Splunk.

Environment

EDR Server: 6.x and Above
Event Forwarder: 3.4.5 and Above
Splunk: 6.x and older

Cause

Splunk 6.x and older has a default event size limit of 10 KB. Events from the Event Forwarder larger than 10 KB are ignored and not loaded into the Splunk system.

Resolution

On the server hosting the Event Forwarder, edit:

/etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

Add:

remove_from_output=highlights_by_doc

Restart the Event Forwarder service.

initctl restart cb-event-forwarder

Additional Information

Event size limit can be increased in Splunk

Feedback

thumb_up Yes

thumb_down No