EDR: CBstats CSV file stops writing logs
Article ID: 288649
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- CBStats with output.format CSV stops writing information to the log file.
- It is generally observed when the logfile rotates.(usually at midnight)
- The issue was first observed on 7.4.2, and is continued in 7.5
Environment
- EDR server: 7.4 & 7.5
Cause
The cbstats output is failing to handle HUP (Hang-up) signals to rotate and point to new file descriptors as set after the rotation.
Resolution
- The issue is being tracked under CB-36825 and will be fixed in future release.
- As a workaround cb-logrotate.conf can be updated:
1. Edit /etc/cb/cb-logrotate.conf :
- Update /var/log/cb/cli/.log* to /var/log/cb/cli/cli.log (in first section of all the service logs)
- Add another file to the list (/var/log/cb/cli/cbstats.log) :
/var/log/cb/job-runner/*.out /var/log/cb/allianceclient/*.out /var/log/cb/coreservices/*.out /var/log/cb/unifiedview/*.out /var/log/cb/sensorservices/*.out /var/log/cb/cbfs-solr/*.out /var/log/cb/enterprise/*.out /var/log/cb/liveresponse/*.out /var/log/cb/solr/*.out /var/log/cb/datastore/*.out /var/log/cb/datagrid/*.out /var/log/cb/cli/cbstats.log
- Save & Quit.
2. Empty out and/or copy over all the existing cbstats.log* from /var/log/cb/cli/
3. Execute:
logrotate --force -d /etc/cb/cb-logrotate.conf
Feedback
Yes
No
Powered by
