CB Response: Sensor communication intermittently failing to check in with HTTP 403s
search cancel

CB Response: Sensor communication intermittently failing to check in with HTTP 403s

book

Article ID: 289551

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • /var/log/cb/nginx/access.log shows sensor requests receiving 200 and 403 responses

    • ::ffff:<sensor IP> - - [03/Oct/2018:03:38:04 -0400(0.001)] "GET /data/eventlog/reserve/16720 HTTP/1.1" 403 358 "-" "" ">127.0.0.1:9000" "-" "<external IP>" 
      ::ffff:<sensor IP> - - [03/Oct/2018:08:19:49 -0400(19.009)] "POST /data/eventlog/submit2/16720 HTTP/1.1" 200 25 "-" "" ">[::1]:9000" "-" "<external IP>" 
      ::ffff:<sensor IP> - - [03/Oct/2018:08:19:49 -0400(0.001)] "GET /data/eventlog/reserve/16720 HTTP/1.1" 200 0 "-" "" ">127.0.0.1:9000" "-" "<external IP>"

  • /var/log/cb/datastore/debug.log shows invalid cert messages

    • 2018-09-11 11:47:01,737 - [WARN] - from com.carbonblack.cbfs.storage_model_4.SensorRegistrar in qtp2059904228-158
      Sensor(id=16720) request is MISSING client-side SSL certificate

  • Sensors pass through a proxy

Environment

  • CB Response Server: 6.1 and above
  • CB Response Sensor: All Versions

Cause

  • This can happen when the sensor passes through a networking device that alters certificates.

Resolution

  • Verify that all appliances the sensor must pass through does not change the sensor certificates
  • If using a load balancer for requests, verify each server has the same configuration
Powered by Wolken Software