Carbon Black Cloud: Occasionally observe a few hours delay between CBC Console and S3 Bucket
Article ID: 289916
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Occasionally observe CBC Console event messages take a few hours before they export to the to the S3 Bucket
- No event data is lost.
- CBC Console event messages remained up to date at all times
Environment
- Carbon Black Cloud: All Supported Versions
Cause
- The event messages are augmented with additional data and moved to a data stream before the notification can be indexed.
- This is a queued process which may result in a backlogs and occassionally a subsequent delay in the processing.
- If this delay happens, and the record may not make it to the notification index in time before the S3 bucket pulles the data. If this happens, it will be picked up in the next pull.
Resolution
- Occasional delays between CBC Console and S3 Bucket are normal and expected.
- However, if the 3S bucket is no longer receiving event log messages or event log messages are missing, this is a separate issue and a Support Case should be opened so that we can investigate this issue further
Additional Information
Before opening a case, please ensure that events are not missing because of S3 bucket event filtering
Feedback
Yes
No
Powered by
