EDR: Disk Full Due to JSON Files
Article ID: 289847
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Disk space taken .json* files accumulating in /var/cb/data/ directory
- Data retention is low
Environment
- EDR Server: 6.X
Cause
Cb-event-forwarder is set to output as JSON files to space limited volume.
Resolution
Currently there is no mechanism to clean up these JSON files on EDR product. Suggest using another volume with enough space, or create a cron job to purge these files.
Additional Information
- Output type is defined in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf.
- Add the lines below to the bottom of the '/etc/cb/cron/cb.cron.template' file to automatically remove the
'event_bridge_output.json' files. The following will keep one week of 'event_bridge_output.json*' files by running once at midnight and
removing any files modified over 7 days:# Remove old event-forwarder files that were modified over 7 days ago. Runs once a night at midnight
0 0 * * * root find /var/cb/data -iname "event_bridge_output.json*" -mtime +7 -exec rm -f {} \; - A restart of the services will be needed for changes to take affect:
http://community.carbonblack.com:80/t5/Knowledge-Base/Cb-Response-How-to-restart-server-services/ta-p/41294
Feedback
Yes
No
Powered by
