CB Response: CB Event Forwarder Continuously Logging Data to '.restart' File

CB Response: CB Event Forwarder Continuously Logging Data to '.restart' File

search cancel

CB Response: CB Event Forwarder Continuously Logging Data to '.restart' File

book

Article ID: 289672

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After a restart, the cb-event-forwarder will log data to the '.restart' file instead of 'event_bridge_output.json'.
'.restart' file continues to grow throughout the day.
Next day the cb-event-forwarder daemon will roll events to 'event_bridge_output.json' file, however '.restart' file will continue to grow

Environment

CB Response Server: All Versions
Event Forwarder: Version 3.5
Splunk Forwarder

Cause

Two event forwarder processes running simultaneously on the same file

Resolution

Issue resolved by upgrading cb-event-forwarder to version 3.6.2+:

initctl stop cb-event-forwarder
yum upgrade cb-event-forwarder
initctl start cb-event-forwarder

Additional Information

Workaround is to change the Splunk forwarder (not the CB Event Forwarder) configuration to monitor all of the .json files in the directory, and not just the plain 'output.json'.

Feedback

thumb_up Yes

thumb_down No