EDR: Server only retains 3 months of data despite maxeventstoragedays being set higher
Article ID: 290328
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Server event data only goes back about 3 months
- MaxEventStoreDays in /etc/cb/cb.conf is set to retain data for a greater period of time
- Server has plenty of storage space
Environment
- EDR Server: 6.x and Higher
Cause
SolrTimePartitioningActivePartitions is set to the default 30
Resolution
- Loading more than 30 days worth of data into the searching service (Solr) will cause performance issue and is not recommended
- If long periods of data must be retained, cold storage will allow the data to be available for future use, but would not load into the server by default
- If data must be actively loaded beyond the defaults
- Edit /etc/cb/cb.conf
- Modify SolrTimePartitioningActivePartitions to a number that will allow 365 days of data (by default, cores roll over every 3 days, so 122)
- Restart services
Additional Information
- If performance issues such as UI lag, slow search results, or lack of alerts occurs, older cores should be unloaded
- Other storage settings could cause cores to purge sooner. These values are found in /etc/cb/cb.conf under the Solr Storage Engine Settings section
Feedback
Yes
No
Powered by
