EDR: Sensors offline with HTTP 400 error code
book
Article ID: 289057
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Sensors show offline in console
- Sensor.log shows HTTP 400 error code for communication
- Sensorcomms.log shows HTTP 400 error code for registration and eventlog submissions
Environment
- EDR Server: All Supported Versions
- EDR Sensor: All Supported Versions
Cause
- HTTP 400 is a 'Bad Message' rejection error from the NGINX web server, because the SSL certificates are not being authenticated succesfully.
Resolution
- Validate the registry key HKLM > Software > CarbonBlack > Config has the following set correctly:
- SensorBackendServer key must use HTTPS and a validate DNS name or IP address and port
- SensorClientCert key must match the Sensor Group specific cert in the sensor_client_certs PSQL table
psql -d cb -p 5002 -c "select * from sensor_client_certs;" &> /tmp/sensor_client_certs.csv
Additional Information
- Examples of a valid SensorBackendServer value: https://1.2.3.4:443 or https://servername:443
- Newer versions of the sensor no longer store the cert in the registry and have a certficate store
Feedback
thumb_up
Yes
thumb_down
No