EDR: Server only retains 3 months of data despite maxeventstoragedays being set higher
search cancel

EDR: Server only retains 3 months of data despite maxeventstoragedays being set higher

book

Article ID: 290328

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Server event data only goes back about 3 months
  • MaxEventStoreDays in /etc/cb/cb.conf is set to retain data for a greater period of time
  • Server has plenty of storage space

Environment

  • EDR Server: 6.x and Higher

Cause

SolrTimePartitioningActivePartitions is set to the default 30

Resolution

  • Loading more than 30 days worth of data into the searching service (Solr) will cause performance issue and is not recommended
  • If long periods of data must be retained, cold storage will allow the data to be available for future use, but would not load into the server by default
  • If data must be actively loaded beyond the defaults¬†
    1. Edit /etc/cb/cb.conf
    2. Modify SolrTimePartitioningActivePartitions to a number that will allow 365 days of data (by default, cores roll over every 3 days, so 122)
    3. Restart services

Additional Information

  • If performance issues such as UI lag, slow search results, or lack of alerts occurs, older cores should be unloaded
  • Other storage settings could cause cores to purge sooner. These values are found in /etc/cb/cb.conf under the¬†Solr Storage Engine Settings section