EDR: All warm core data purged after adding MaxEventStoreSizeInMB restriction to roll cores over
Article ID: 290344
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- All warm cores purged after applying updates to /etc/cb/cb.conf MaxEventStoreSizeInMB setting
- Cores disappearing after rolling over
Environment
- EDR Server: All Versions (Formerly CB Response)
Cause
- MaxEventStoreSizeInMB is not the correct setting to force a core rollover
- MaxEventStoreSizeInMB is determines total size of folder and purges down to that size
Resolution
- Edit /etc/cb/cb.conf
- Comment out MaxEventStoreSizeInMB
- Add the correct setting for core rollover with the desired core size
-
SolrTimePartitioningMaxSizeMB=<max_core_size>
-
- Restart services
Additional Information
- MaxEventStoreSizeInMB should only be used to set the maximum disk usage of the entire /var/cb/data/solr*/cbevents directory
- SolrTimePartition* settings will apply to individual cores
- MaxEventStore* will apply to the entire /var/cb/data/solr*/cbevents folder
Feedback
Yes
No
Powered by
