EDR: Sensors offline with HTTP 400 error code
search cancel

EDR: Sensors offline with HTTP 400 error code

book

Article ID: 289057

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Sensors show offline in console
  • Sensor.log shows HTTP 400 error code for communication¬†
  • Sensorcomms.log shows HTTP 400 error code for registration and eventlog submissions

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions

Cause

  • HTTP 400 is a 'Bad Message' rejection error from the NGINX web server, because the SSL certificates are not being authenticated succesfully.

Resolution

  1. Validate the registry key HKLM > Software > CarbonBlack > Config has the following set correctly:
    1. SensorBackendServer key must use HTTPS and a validate DNS name or IP address and port
    2. SensorClientCert key must match the Sensor Group specific cert in the sensor_client_certs PSQL table
psql -d cb -p 5002 -c "select * from sensor_client_certs;" &> /tmp/sensor_client_certs.csv

 

Additional Information

  • Examples of a valid SensorBackendServer value: https://1.2.3.4:443 or https://servername:443
  • Newer versions of the sensor no longer store the cert in the registry and have a certficate store