EDR: Alerts not being generated for Watchlists.
search cancel

EDR: Alerts not being generated for Watchlists.

book

Article ID: 290305

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Watchlist hits are reported on the Watchlist page, however events are not appearing in the Triage Alerts page.
  • /var/log/cb/datastore directory contains large amount of debug.log#######.tmp files

Environment

  • EDR Server: 6.2.3

Cause

 Known issue with the datastore.debug.log files, to be addressed in future release. 
 

Resolution

  1. Open the /etc/cb/cron/cb.cron.template file to edit 
  2. Set cronjob to remove .tmp files from '/var/log/cb/datastore/' older than 7 days: 
    0 0 * * * root find /var/log/cb/datastore -name *.tmp -mtime +7 -delete

Additional Information

  • Troubleshooting reveals an inordinate amount of 'datastore.debug.log' files: 
    find /var/log/cb/datastore/ -mtime +1 -name 'debug.log*' | wc -l
Powered by Wolken Software