EDR: Sensors offline with HTTP 400 error code

EDR: Sensors offline with HTTP 400 error code

search cancel

EDR: Sensors offline with HTTP 400 error code

book

Article ID: 289057

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Sensors show offline in console
Sensor.log shows HTTP 400 error code for communication
Sensorcomms.log shows HTTP 400 error code for registration and eventlog submissions

Environment

EDR Server: All Supported Versions
EDR Sensor: All Supported Versions

Cause

HTTP 400 is a 'Bad Message' rejection error from the NGINX web server, because the SSL certificates are not being authenticated succesfully.

Resolution

Validate the registry key HKLM > Software > CarbonBlack > Config has the following set correctly:
1. SensorBackendServer key must use HTTPS and a validate DNS name or IP address and port
2. SensorClientCert key must match the Sensor Group specific cert in the sensor_client_certs PSQL table

psql -d cb -p 5002 -c "select * from sensor_client_certs;" &> /tmp/sensor_client_certs.csv

Additional Information

Examples of a valid SensorBackendServer value: https://1.2.3.4:443 or https://servername:443
Newer versions of the sensor no longer store the cert in the registry and have a certficate store

Feedback

thumb_up Yes

thumb_down No