CB Response: Events not forwarding after integrations path change
Article ID: 290230
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Events no longer forwarded to SIEM
- No new event files are generated
- Server or event-forwarder was restarted around the time forwarding stopped
Environment
- CB Response Server: All Versions
- CB Event-Forwarder: 3.x
Cause
The service no longer knows the path to event-forwarder settings
Resolution
- Event-forwarder configurations must be moved back to the proper location: /usr/share/cb/integrations/
- Start event-forwarder services
- CentOS 6: initctl start cb-event-forwarder
- CentOS 7: systemctl start cb-event-forwarder
Additional Information
/var/log/cb/integrations/cb-event-forwarder/event-forwarder.startup.log will show what prevented the services from starting
Feedback
Yes
No
Powered by
