Cb Response: 6.1.7 Linux Sensor Eventlog Filling System
search cancel

Cb Response: 6.1.7 Linux Sensor Eventlog Filling System


Article ID: 289634


Updated On:


Carbon Black EDR (formerly Cb Response)


  • Sensor is continuously writing to the /var/lib/cb/eventlogs, even when it is over the quota and log size limit, which is by default 1GB or 1% of the filesystem.


  • Cb Response Linux sensor: 6.1.7


  • This is a known issue on the sensor side when the server is under heavy load - CB-21615


  • This issue is fixed in sensor version 6.1.9
  • As a workaround to prevent Event log growth
    • Set Sensor Data Suppression Levels to High for the sensor group
    • Make sure the sensor is able to connect to the server to submit data
  • If event logs still grow to an unmanagable size, monitor and remove large Event logs
    1. Stop cbdaemon
      • service cbdaemon stop
    2. Remove the eventlog file from /var/lib/cb/eventlogs 
    3. Start cbdaemon
      • service cbdaemon start

Additional Information

  • Data in event logs have not been sent to the Cb Response server. Removing an event log will result in a loss of that event data.