EDR: CB-event-forwarder Not Sending Events Sometimes
search cancel

EDR: CB-event-forwarder Not Sending Events Sometimes

book

Article ID: 290437

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Missing events from cb-event-forwarder, intermittently.

 Errors like:
 
"time="2019-02-12T14:47:11-05:00" level=error msg="Connection closed: Exception (501) Reason: \"write tcp XX.XX.XX.XX:port->XX.XX.XX.XX:5004: write: connection reset by peer\"" 
time="2019-02-12T14:51:29-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:51:30-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:47:11-05:00" level=info msg="Waiting for all workers to exit" 
time="2019-02-12T14:55:47-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:55:50-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:55:50-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:55:23-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:52:52-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:56:02-05:00" level=info msg="Worker exiting" 
time="2019-02-12T14:56:02-05:00" level=info msg="All workers have exited" 
time="2019-02-12T14:56:02-05:00" level=info msg="Rolling file /var/cb/data/event-forwarder/event-forwarder to /var/cb/data/event-forwarder/event-forwarder.2019-02-12T14:46:34.225.gz" 
time="2019-02-12T14:56:02-05:00" level=info msg="File handler configured to compress data" 
time="2019-02-12T14:56:02-05:00" level=info msg="AMQP loop 0 exited: Exception (501) Reason: \"write tcp XX.XX.XX.XX:port->XX.XX.XX.XX:5004: write: connection reset by peer\". Sleeping for 30 seconds then retrying." 
time="2019-02-12T14:56:14-05:00" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2019-02-12T14:46:34.225.gz to AWS S3.""

Environment

  • EDR (Formerly CB Response) Server: All supported versions
  • cb-event-forwarder: All supported versions

Cause

RabbitMQ is overloaded.

Resolution

Could be many reasons. Four possibilities here:

1) Too many event-forwarder subscriptions
Choose fewer subscriptions in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

2) Too many event-forwarders connecting to one rabbitmq

3) Response server itself is busy

4) cb-event-forwarder post-processing option is enabled
Post-processing option can be disabled in in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

Additional Information

The errors above show rabbit disconnecting. Forwarder waits for its workers. They exit. Forwarder rolls over the log file before it comes back up again. After 30 seconds from the initial error, the forwarder tries to publish again and succeeds. It took the forwarder more than the (default) 30 seconds to try again due to the number of workers in use and how long it took them to exit (looks like about the elapsed 5-8 minutes). This log is telling us that rabbitmq hung up on the forwarder. Rabbitmq is overloaded.