Cb Response: 6.1.7 Linux Sensor Eventlog Filling System
search cancel

Cb Response: 6.1.7 Linux Sensor Eventlog Filling System

book

Article ID: 289634

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Sensor is continuously writing to the /var/lib/cb/eventlogs, even when it is over the quota and log size limit, which is by default 1GB or 1% of the filesystem.

Environment

  • Cb Response Linux sensor: 6.1.7

Cause

  • This is a known issue on the sensor side when the server is under heavy load - CB-21615

Resolution

  • This issue is fixed in sensor version 6.1.9
  • As a workaround to prevent Event log growth
    • Set Sensor Data Suppression Levels to High for the sensor group
    • Make sure the sensor is able to connect to the server to submit data
  • If event logs still grow to an unmanagable size, monitor and remove large Event logs
    1. Stop cbdaemon 
      • service cbdaemon stop
    2. Remove the eventlog file from /var/lib/cb/eventlogs 
    3. Start cbdaemon 
      • service cbdaemon start

Additional Information

  • Data in event logs have not been sent to the Cb Response server. Removing an event log will result in a loss of that event data.
Powered by Wolken Software