CB Defense: Missing Events from Sensor after forced shutdown
Article ID: 290088
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Events show in Console with a noticeable gap for a period of time
- Sensor has not been uninstalled and reinstalled
- Temporary network connectivity issues
- System logs (Event Viewer for Windows, 'last reboot'/'last shutdown' via terminal for Mac) show consecutive startup/reboot events with no shutdown between
- System logs may also show a low-power state prior to startup/reboot
Environment
- CB Defense PSC Console: All Versions
- CB Defense PSC Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Cause
Sensor had issues connecting to/communicating with Cloud, causing Sensor to store events locally until connection could be established. Forced startup/reboot without a graceful shutdown corrupted Event database, causing Sensor to rebuild the database and purge backlogged/cached events.
Resolution
Expected behavior in this situation
Additional Information
- Ensure that restarts/reboots are performed gracefully to avoid this behavior
- Once Sensor has been restarted with the Endpoint and is able to establish communication with the Cloud, this issue will resolve itself
Feedback
Yes
No
Powered by
