EDR: How to Troubleshoot a Feed Where an Event is Not Being Tagged
search cancel

EDR: How to Troubleshoot a Feed Where an Event is Not Being Tagged

book

Article ID: 289115

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to manually trigger the Feed_Sync job to run on the EDR Console server before its schedule time

Environment

  • EDR Console: 6.2.2 and Higher

Resolution

  1. Connect to the Primary EDR Server node via SSH
  2. In Terminal, run the cmds to manually execute the feed_sync job:
    1. Troubleshooting a specific feed output
/usr/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --feed FeedName &> /tmp/feedsearch.out && /usr/share/cb/cbpost /tmp/feedsearch.out
  1. Troubleshooting an IOC Feed ​
/usr/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --iocs md5 &> /tmp/feedsearchmd5.out && /usr/share/cb/cbpost /tmp/feedsearchmd5.out
  1. Manually execute a full feed_sync job
/usr/bin/python -m cb.maintenance.job_runner --master -vvv feed_sync --full-sync &> /tmp/feedsync.out && /usr/share/cb/cbpost /tmp/feedsync.out

Additional Information

  • This should be used for troubleshooting when an event is not being tagged or tagged improperly.
  • The '-vvv' means the logs will be Verbose, the highest level of debug output
  • The '/usr/share/cb/cbpost' part of the cmds will upload the results to the Alliance server for Cb Support to review
Powered by Wolken Software